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A.  This  is  the  portion  of  the  GAL  that  was  on  the  disk  that 

I  looked  at  earlier.  It's  —  this  is  the  user  name,  unit.  This  is 
the  standard-type  text  we  would  have  on  the  end  of  the  GAL,  so  as  you 
were  searching  through,  if  you  didn't  necessarily  know  the  name,  you 
would  have  other  information.  So,  for  instance,  from  the  first  line, 
you  could  tell  that  John  worked  —  he  was  a  master  sergeant  and  he 
worked  at  MNF-I. 

TC [MAJ  FEIN] :  Okay. 

Your  Honor,  permission  to  publish  148bravo. 

MJ:  Go  ahead. 

[PE  148b  was  published  and  displayed  using  the  electronic  projector.] 

Q.  Chief  Rouillard,  do  you  recognize  this  document? 

A.  Yes,  sir. 

Q.  And  what  is  this? 

A.  This  is  another  portion  of  that  GAL  extract.  This  is 

actually  extract  —  it  looks  —  it  appears  to  be  —  have  been 
extracted  from  the  Exchange  Server  itself,  because  the  first  part 
where  it  says,  "First  Administrative  Group  Recipients,"  that's 
similar  to  Active  Directory  because  Active  Directory  and  Exchange 
kind  of  install  together.  The  primary  important  part  here  is  the 
last  part  of  that.  For  instance,  John. iraqcentcommil,  so 
John . Black@iraqcentcommil  would  have  been  his  e-mail  address. 
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Q.  Now  when  forces  rotated  out  of  Iraq,  what  happened, 

typically,  to  their  GAL  entry? 

A.  When  —  probably  30  days  prior,  we  would  start 

coordination.  The  short  answer  is  their  addresses  would  come  out  of 
the  GAL  relatively  quickly  because  we  didn't  want  expired  e-mail 
addresses  out  there  or  duplicates,  and  so  as  these  quys  would  rotate 
out,  within  a  couple  weeks  the  higher  up,  so  if  it  was  a  brigade,  the 
division,  or  if  at  the  division,  MNF-I  or  USF-I  would  delete  their 
portion  out  of  their  Exchange  Server  so  it  wasn't  replicated  around 

Q.  Okay. 

A.  -  and  then  they  would  come  out. 

Q.  And  from  a  cyber  threat  perspective,  what  potential 

threats  are  there  with  this  information  being  released? 

A.  So  just  this  information,  if  this  is  active  right  now,  I 

can  tell  user  names  with  —  which  then  I  just  need  the  password.  I 
can  also  tell  what  server  they're  on  —  see  if  this  [pause]  —  so 
that  there  is  the  server  that  they're  on,  so  iraqcentcommil .  Because 
it's  connected  to  the  unclassified  network,  or  the  NIPRNet,  I  can  get 
to  that  server  from  anywhere.  I  can  get  to  that  from  anywhere  in  the 
world  because  that's  how  we  design  them,  so  I  could  then  target 
Lena. Black  on  that  server,  but  this  also  tells  me  the  different 
servers  that  are  —  that  they're  on,  so  you  can  look  down  towards  the 
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bottom  where  they've  got  that  MND-B,  so  that's  a  user  off  of  a 
different  server,  and  it  kind  of  —  you  can  then  use,  like,  a  basic 
script  and  break  all  these  portions  up  in  —  to  have  different  groups 
of  people,  so  now  I  know  which  server  they  exist  on. 

Q.  And  if  someone  has  rotated  out  of  theater  after  this  left 

the  possession  of  the  government,  then  how  else  could  it  be  used  to 
further  foreign  adversaries'  and  spear  phishers'  endeavors? 

A.  So  because  our  standard  operating  procedure  for  all  of 

our  signal  guys  that  we  teach  is  to  use  your  AKO  e-mail  address,  the 
first  portion,  for  the  address  deconf liction,  it  would  be  the  same. 

I  could  take  Tracy. Black  or  Zachary . Black  and  just  do  @us. army. mil 
and  that's  their  AKO  e-mail  address  or  now  your  mail.mil  address  and 
I  could  still  use  a  similar  spear  phishing  campaign  to  target  you,  so 
if  I  knew  you  were  in  10th  Mountain  at  the  time  or  ND  —  MND-B  at  the 
time,  we're  looking  for  all  personnel  that  were  assigned  to  MND-B 
between  2009  and  2011,  please  reply  by  filling  out  this  for  your 
unit's  --  your  meritorious  unit  commendation.  Fill  out  this  basic 
information,  and  so  that  would  be  another  example  of  a  spear  phishing 
technique,  because  I  could  —  it's  relatively  easy  to  craft  -- 
falsify  the  source,  say  it's  coming  from,  you  know.  Army  PAO  or 
something,  that's  a  relatively  easy  technique.  I  just  tell  —  I'd 
connect  to  a  mail  server.  I  could  stand  up  a  mail  server;  create 
whoever  I  wanted;  send  this  out  with  a  small  pdf  or  a  link  to  a  Web 
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site,  "Please  connect  to  this  Web  site  and  input  your  information  to 
ensure  you  get  this  certificate  of  participation  in  the  Iraq 
campaign. " 

Q.  So  can  you  explain,  though,  this  is  showing  —  you  used 

the  example  —  and  for  the  record  Chief  Rouillard  underlined  the 
second  line  from  the  bottom  —  or  from  the  top  underlines 
"centcom.mil"  in  the  second  —  excuse  me  —  the  third  line  from  the 
top.  Could  you  please  explain  using  the  same  one  how  does  one  —  how 
would  one  use  "Lena.Blackbox@iraq.centcom.mil"  to  do  that  after 
someone's  rotated  out  of  theater? 

[The  assistant  defense  counsel,  CPT  Tooman,  stood  up.] 

MJ:  Hold  on  just  a  minute. 

Yes? 

ADC [CPT  TOOMAN]:  Ma'am,  objection  based  on  relevance.  This 
line  of  questioning  would  be  more  in  line  with  the  793  offense;  what 
could  or  could  not  happen,  that's  not  relevant  for  a  641. 

TC [MAJ  FEIN]:  Your  Honor,  the  United  States  is  offering  this, 
its  relevance  is  still  to  value  as  a  fact  witness.  This  goes 
directly  to  what  could  potentially  happen,  and  the  United  States 
intends  to  call  Mr.  Lewis  who's  going  to  talk  about  foreign 
adversaries  and  what  they  do  with  our  contact  information,  including 
e-mails . 
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ADC [CPT  TOOMAN] :  We  would  then  object  based  on  701.  If  we're 
talking  about  value,  this  type  of  value  would  require  specialized 
knowledge  under  701.  Mr.  Rouillard's  not  qualified  as  an  expert 
anymore,  so  this  sort  of  testimony  wouldn't  - 

MJ:  He's  laying  factual  information  at  this  point.  I'm  going 

to  overrule  it. 

Go  ahead. 

Q.  So  to  reask  the  question:  You  testified  that 

"Lena. Blackbox"  —  last  name  —  "@iraq. centcom.mil"  was  the  e-mail 
that's  listed  in  this  GAL.  How  does  that  e-mail  —  how  would  that 
e-mail  then  be  used  by  foreign  adversaries  or  spear  phishers,  because 
that's  the  Iraq  e-mail  and  when  they  rotate  out  that  e-mail  no  longer 
exists? 

A.  Right,  but  the  first  half  of  that  e-mail,  as  we've 

discussed,  is  the  same  for  your  U.S.  Army  mail  - 

Q.  Okay. 

A.  -  e-mail  address,  so  I  could  even  do  it  in  a  script. 

I  could  take  this  entire  GAL  list  - 

Q.  I'm  sorry.  What  do  you  mean  by  "script"? 

A.  A  simple  text  file  —  so  scripting  language  is  a  way  to 

automate  tasks  and  one  of  --  like,  for  instance,  a  "Python"  is  one  of 
the  languages  you  can  use  to  script,  so  I  can  take  an  input  file,  I 
can  extract  certain  fields,  so  I  can  say  extract  everything  after 
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slash  cn  equals.  It'll  extract  that  address,  strip  off  the 
iraqcentcoimnil  and  paste  in  a  @usarmymil  and  you  can  actually 
automate  this,  but  you  could  just  as  easily  go  in  and  handcraft  it 
and  change  any  of  these  e-mail  addresses  to  @us. army. mil  and  have  a 
high  likelihood  of  having  their  e-mail  address,  if  they're  active 
now,  if  they're  in  the  active  duty  now. 

Q.  Okay,  and  who  --  why  would  foreign  adversaries  want  the 

GAL? 

A.  To  target  military  personnel  to  get  them  to  click  the 

links . 

Q.  And  you  mentioned  earlier  social  engineering.  How  would 

a  social  engineering  attack  work? 

A.  So,  first,  I  find  an  audience  that  I  want  to  target,  or 

an  adversary,  and  for  this  instance  I'm  using  Army,  so  these  are  all 
Army  people  or  Army-affiliated  personnel,  so  I  send  an  e-mail  with  a 

Web  link  or  a  pdf  or  something  similar  to  that  add  —  that  e-mail 

address  - 

[The  assistant  defense  counsel,  CPT  Tooman,  stood  up.] 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Sorry,  Chief. 

Your  Honor,  this,  I  think,  goes  beyond  the  scope  of 
laying  the  factual  foundation,  so  we  would  object  on  —  object  on 
701. 
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MJ:  Overruled. 

Go  ahead. 

A.  So  the  user  would  then  receive  the  e-mail  in  their  box. 

It  could  appear  to  come  from  anybody  we  want  it  to  come  from.  They 
see  this  e-mail  comes  —  it  could  be,  for  instance,  we're  evaluating 
--  I  saw  in  the  Army  Times  we're  evaluating  a  --  going  to  a  new  --  a 
single  ACU  pattern,  so  it  could  be,  "Visit  this  site  for  a  selection 
of  five  ACU  patterns  and  we're  going  —  we're  just  doing  a  public 
survey  to  see  which  one  you  would  like, "  and  it  could  come  from, 
again,  PAO  or  a  civilian  company;  and  so  many  Soldiers  would  then 
click  that  link,  taking  them  to  a  Web  site  which  might  actually  have 
five  different  patterns  of  ACU  patterns  to  select  from,  and  when  they 
click  one,  it  says,  "Thank  you.  Insert  name  here  for  selecting  the 
ACU,"  and  give  some  type  of  actual  count  back,  but  it's  also 
collecting  information  on  the  machine  that  they're  on.  It  could 
attempt  to  download  malicious  code  into  their  box.  It  could  do  a 
number  of  things,  because  I've  tricked  you  into  going  to  a  site  you 
wouldn't  normally  visit,  which  is  why  we  invest  so  much  in  the 
yearly,  mandatory  training  for  this  type  of  attack. 

Q.  Chief  Rouillard,  are  you  familiar  with  the  program 

"Wget"? 

A .  I  am . 
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Q.  And  how  is  Wget  used  when  it  comes  to  social  engineering 

attacks? 

[The  assistant  defense  counsel,  CPT  Tooman,  stood  up.] 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Objection;  relevance.  PFC  Manning  is  not 
charged  with  using  Wget  for  a  social  media  attack. 

MJ:  What  is  the  relevance? 

TC [MAJ  FEIN]:  Your  Honor,  the  relevance  is  that  Chief  Rouillard 
has  specialized  knowledge  about  Wget.  This  is  just  laying  the 
foundation  to  ask  subsequent  questions  on  how  he  knows  Wget  and  to 
ask  some  functionality  questions  about  Wget. 

MJ:  What  does  the  malicious  spyware  have  to  do  with  any  of 

this? 

TC [MAJ  FEIN]:  I'm  sorry.  Your  Honor.  I  don't  understand. 

MJ:  You're  —  I  thought  you  were  —  what  was  your  last 

question? 

TC [MAJ  FEIN]:  Ma'am,  I  can  rephrase  the  question,  if  that's  the 
issue . 

MJ:  All  right,  just  move  beyond  that. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  If  he's  going  to  talk  about  the  program  itself,  that  is 

relevant . 
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ADC [CPT  TOOMAN] :  Your  Honor,  we  would  say  it  would  be 
cumulative.  We've  heard  a  lot  about  Wget. 

MJ:  Overruled. 

TC [MAJ  FEIN]:  Chief,  I  want  to  break  —  first,  I'm  going 

to  remove  from  the  --  and  return  to  the  —  remove  from  the  projector 
and  return  to  the  court  reporter  Prosecution  Exhibit  148bravo  and 
Prosecution  Exhibit  147bravo  [handed  exhibits  to  court  reporter] . 

Q.  Are  you  familiar  with  Wget? 

A.  Yes,  sir. 

Q.  What  is  "Wget"? 

A.  "Wget"  is  an  application  or  a  program  —  Wget ' s  a  program 

that  will  download  a  static  copy  of  Web  content,  such  as  a  Web  site 
or  a  SharePoint  site  and  will  download  however  much  of  it  you  tell  to 
download.  So  if  I  say  execute  Wget  against  PAO.Hood.army.mil,  it 
will  download  a  static  copy  of  the  entire  public-facing  Web  site  to 
my  computer. 

Q.  And  can  you  please  explain  for  the  court,  again,  very 

briefly,  - 

A.  Uh-huh  [affirmative  response] . 

Q.  -  how  have  you  used  Wget  in  a  Windows  environment  or 

just  Wget  in  general  in  your  job  as  a  cyber  threat  analyst? 

A.  So - 

Q.  Excuse  me,  a  OPFOR  cyber  threat. 
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A.  Yes,  so  —  so  for  us,  we  use  Wget  —  so  —  there's  two  — 

there's  two  versions.  There's  a  Windows  version  and  a  Linux  version. 
The  Windows  version  is  not  installed  by  default.  You  have  to  put  it 
on  there,  but  once  I  put  --  other  than  that,  the  functionality  is  the 
same,  but  because  our  guys  are  comfortable  with  Microsoft  Windows,  we 
tend  to  install  that  and  have  —  use  that;  but  when  you  run  Wget  and 
download  the  page,  it  lets  you  grab  the  entire  page.  One  of  the 
reasons  we  use  it  is  when  we're  doing  the  open  source  intel  gathering 
on  a  site,  I  can  download  the  Web  page;  I  can  then  take  that  Web  page 
and  feed  it  into  a  script,  again,  that  will  break  the  Web  page  up 
into  a  bunch  of  words  or  a  dictionary  file.  I  then  use  that 
dictionary  file  against  user  names  that  I  have  in  an  attempt  to  use 
those  words  as  passwords.  So  something  that  was  pertinent  to  that 
unit,  for  instance,  if  their  motto  was  "Blackjack,"  then  the 
commander  might  have  his  password  as  "Blackjack6 ! "  So  my  program 
will  take  words  that  are  relevant  to  them,  do  what  we  call  a  little 
bit  of  "mangling,"  so  change  "E's"  to  "3s"  and  such  and  then  run  that 
dictionary  file  against  user  accounts  in  an  attempt  to  guess  a 
password. 

Q.  And  this  is  in  your  OPFOR  capacity? 

A.  Yes,  sir.  Yeah;  this  is  all  as  attack  methodology. 

Q.  And  with  that,  do  you  have  authorization  to  use  Wget  on 

y' all's  computers  if  you  have  to  install  it? 
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A.  We  do.  We  —  you  have  to  actually  —  you  have  —  you 

have  to  be  —  it's  not  part  of  the  normal  Army  load,  so  it's  not  an 
authorized  tool  that  Army  users  encounter.  It's  only  for  --  as  far 
as  the  Army  is  concerned,  the  only  people  that  I'm  aware  of  that  use 
it  are  pen  testers  and  OPFOR. 

Q.  And  when  Wget  runs  in  the  Window  environment  on  the 

screen,  what  does  it  look  like? 

A.  It  —  it's  a  command-driven  tool,  so  it's  a  command-line- 

tool-type  thing.  It's  not  a  normal,  gooey.  Window  thing  that  we're 
used  to,  and  so  it's  a  black  box  on  the  screen,  which  is  your  command 
window,  and  then  it's  just  —  it'll  look  like  a  bunch  of  typed 
commands,  so  if  you  squinted  down  or  read  through  the  commands,  you 
would  see  that  it  was  actually  —  it  would  say  Wget  something,  but 
otherwise  it  just  looks  like  a  command  prompt  screen  with  text 
written  on  it. 

Q.  And  when  you  said  squint  down,  what  did  you  mean? 

A.  Well,  because  by  default  when  you  open  up  a  command  —  a 

command  prompt,  the  text  is  relatively  small,  so  5,  6  feet  away,  I 
can't  read  a  command  prompt  screen  that's  —  like  I  couldn't  read  one 
on  his  computer  if  I  was  standing  here  [referred  to  court  reporter's 
computer] . 

Q.  When  Wget  is  running,  does  it  have  across  the  top  of  it 

in  big  letters  "Wget"? 
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A.  No,  sir.  It  —  it  has  a  —  it  has  the  page  that's 

downloading  and  then  some  status  messages,  but  there's  not  a  big 
announcement  that  Wget  is  running. 

Q.  And  can  Wget  be  running  in  the  background? 

A.  It  can. 

Q.  And  what  does  that  mean? 

A.  So  Windows  gave  us  the  capability  to  run  multiple  things 

at  once,  and  so  on  the  top  of  all  Windows,  there's  a  little  icon  that 
looks  like  a  bar.  If  you  click  that,  it's  called  what  minimizes  it 
and  moves  it  down,  but  you  could  just  as  easily  drag  Internet 
Explorer  in  front  of  it.  That's  why  you  can  browse  the  mail  and 
check  your  Web  at  the  same  time. 

Q.  Are  you  familiar  with  "mIRC  chat"? 

A.  Yes,  sir. 

Q.  How  are  you  familiar  with  mIRC  chat? 

A.  [Pause]  So  - 

Q.  In  your  official  capacity  within  the  Army. 

A.  In  my  official  capacity,  we  used  mIRC  chat  in  2003/2004 

and  with  —  in  2007/2008,  on  both  deployments  we  used  mIRC  chat  with 
my  AFATDS  or  the  artillery  guys  to  coordinate  with  other  units  for 
their  artillery  fields  of  fire  or  whatever. 

Q.  And  when  you  say  "we,"  who's  "we"? 

A.  The  - 
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Q.  You  said  "we"  used. 

A.  Oh,  1st  Cav,  sorry. 

Q.  The  division  headquarters? 

A.  The  division  headquarters,  - 

Q.  Okay. 

A.  -  yes,  sir.  And  so  they  coordinated  with  the  Air 

Force  because  it  was  a  tool  the  Air  Force  was  using  and  that's  what 
they  chose  because  it's  a  --  it's  actual  --  it's  also  a  tool  that  is 
used  just  for  text  chatting  and  —  but  with  Army  systems  in  theater, 
the  only  system  I  saw  it  on  was  the  AFATDS . 

Q.  And  what  did  —  so  when  mIRC  chat  runs,  what  does  the 

screen  look  like? 

A.  The  application  has  a  distinct  look.  It'll  say  "mIRC 

chat."  It'll  have  users  and  channels  on  one  side.  It'll  have  a  text 

field  in  the  middle  with  the  chats  scrolling  up  and  down  and  you  can 

kind  of  tell  chats  going  on. 

Q.  And  you  mentioned  if  you  were  sitting  there  looking  at 

the  court  reporter's  computer,  you  couldn't  see  Wget.  Could  you  see 
mIRC  chat  running? 

A.  I  could  see  mIRC  chat  running.  I  would  probably  have  to 

look  a  little  closer  to  see  if  it  was  mIRC  chat,  but  because  it ' s  a 
Window  application  and  it  has  a  —  if  you  had  seen  mIRC  chat  before, 
you  would  know  what  it  would  look  like.  If  you  had  never  seen  it, 
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then  you  wouldn't  know  that  —  just  from  a  glance  that  that  was  mIRC 
chat,  but  if  you  had  ever  seen  mIRC  chat  before,  you  would  know  that 
was  mIRC  chat. 

[Pause] 

TC [MAJ  FEIN] :  Your  Honor,  may  I  have  a  moment? 

MJ:  Yes. 

[The  trial  counsel  conferred  with  cocounsel.] 

TC [MAJ  FEIN]:  Your  Honor,  the  United  States  has  no  further 
questions . 

MJ:  All  right. 

Just  for  the  record,  the  —  this  witness  was  accepted  as 
an  expert  in  the  GAL  and  cyber  security,  so  when  the  court  allowed 
the  testimony  that  was  objected  to,  it's  on  that  basis. 

Go  ahead,  cross-examination? 

ADC [CPT  TOOMAN] :  Ma'am,  the  defense  requests  a  10-minute 
comfort  break  before  we  begin. 

MJ:  All  right. 

Chief,  during  the  comfort  break,  please  don't  discuss 
your  testimony  or  knowledge  of  the  case  with  anyone  while  we  are  in 
recess . 

WIT:  Yes,  ma'am. 

MJ:  All  right,  anything  else  we  need  to  address? 

TC [MAJ  FEIN]:  No,  ma'am. 
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MJ:  Court  is  recess. 

[The  court-martial  recessed  at  1703,  17  June  2013.] 

[The  court-martial  was  called  to  order  at  1715,  17  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  court  last  recessed  are  again  present  in 
court. 

Defense,  are  you  ready  to  proceed? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  The  witness  is  on  the  witness  stand. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Chief. 

A.  Sir. 

Q.  Now,  Chief,  you  spoke  a  little  bit  about  a  few  programs, 

Wget,  mIRC  chat.  You're  not  aware  what  programs  the  S-2  section  at 
2-10  Mountain  allowed  during  their  deployment,  right? 

A.  The  S-2  specifically? 

Q.  Right. 

A.  No.  The  Army  has  a  pro  —  a  policy  that  governs  what 

software  goes  on  our  Army  machines  and  govern  from  that  policy  with  a 
standardized,  across  the  Army,  yes. 

Q.  Okay,  but  you  don't  know  if  the  commanders  from  2-10 

Mountain,  specifically  the  S-2  section,  you  don't  know  if  they 
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Q. 


Q. 

A. 


deviated  or  allowed  deviations  from  that.  You  have  no  knowledge  of 
that? 

A.  I  have  no  personal  knowledge,  no. 

Q.  [Pause]  Now  you  spoke  a  little  bit  about  the  Active 

Directory.  Now,  it's  fair  to  say  that  the  Active  Directory  can  exist 
without  the  GAL,  correct? 

A.  Correct. 

But  the  GAL  can't  exist  without  the  Active  Directory. 
[Pause]  So  not  entirely  true. 

Okay. 

Active  Directory  is  for  user  accounts  and  how  we  log  in 
to  our  machines.  Again,  the  GAL  is  just  e-mail  addresses,  so,  for 
instance,  Hotmail  or  Gmail  or  any  of  the  free  mail  providers,  they 
have  a  —  what  you  would  call  —  what  we're  identifying  as  a  GAL,  a 
list  of  e-mail  addresses,  there  is  a  GAL  that  exists  even  though  you 
don't  have  an  Active  Directory  account.  So  with  military  systems 
specifically,  we  fielded  as  a  complete  Enterprise-level  package,  so 
normally  you  get  an  Active  Directory  account  and  an  e-mail  address 
and  they're  linked,  but  you  don't  have  to. 

Q.  Sure.  And  that  link  would  have  existed,  in  your 

experience,  in  the  deployed  environment. 

A.  Deployed  —  in  the  strategic  and  in  the  deployed,  yes. 
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Q.  Right.  So  downrange,  you  wouldn't  have  a  GAL  without  the 

Active  Directory. 

A.  Correct. 

Q.  Okay.  Now  the  Active  Directory  has  other  uses,  doesn't 

it,  beyond  just  providing  - 

A.  Sure. 

Q.  - a  mechanism - 

A.  Absolutely. 

Q.  - for  a  GAL? 

A.  Yes. 

Q.  What  else  do  you  get  to  do  because  you  have  an  Active 

Directory? 


A.  The  Active  Directory  allows  us  to  manage  users  for 

permissions,  for  instance.  You  may  be  allowed  access  to  certain 
files  or  certain  folders  on  SharePoint.  You  can  go  to  certain  parts. 
We  also  use  the  Active  Directory  to  manage  the  security  controls  for 
machines  inside  of  that,  because  not  only  do  users  have  accounts  in 
Active  Directory,  but  also  all  of  the  machines,  all  the  laptops  or 
all  the  workstations  that  are  part  of  that  domain  are  in  the  Active 
Directory,  printers.  Various  objects  exist  in  Active  Directory  other 
than  e-mail  addresses  and  users. 

Q.  Sure.  So  when  I  get  an  Active  Directory  account,  that 

allows  me  to  log  on  to  a  machine. 
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A.  [No  response.] 

Q.  Right? 

A.  Yes. 

Q.  It  allows  me  to  create  a  Word  document. 

A.  Well,  the  Active  Directory  gives  you  access  to  the  laptop 

Q.  Right,  and  the  laptop  has  Word  or  some  other  - 

A.  Sure. 

Q.  -  software  on  it. 

A.  Yeah. 

Q.  And  I  —  and  I  can't  get  to  those  programs  unless  I  have 

[pause]  - 

A.  Not  true. 

Q.  -  access  to  it. 

A.  So  I  can  log  in  locally  to  a  machine.  So  a  machine  — 

for  instance,  a  machine  that's  part  of  Active  Directory  that's  in  the 
domain  in  the  normal  tactical  or  strategic  environment,  if  you  had 
local  login  access,  you  could  unplug  the  machine  from  the  network  and 
log  in  locally  with  a  local  user  account  and  still  access  the  —  many 
of  the  same  files  and  everything  else. 

Q.  Okay,  but  —  so  I  may  be  able  to  do  that,  but  I  couldn't 

print. 
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A.  Uh  —  you  could,  without  being  part  of  Active  Directory 

—  if  you  were  still  plugged  into  the  network,  I  could  - 

Q.  If  I'm  still  —  yeah,  right.  So  I'm  still  plugged  into 

the  network. 

A.  If  I  plug  into  the  network  but  I  log  in  locally.  So  I'm 

not  part  of  the  domain,  I  just  log  in  with  a  local  user  account,  I 
can  still  print;  I  can  still  visit  Web  sites;  I  can  still  run 
programs  on  my  machine.  I  may  not  be  able  to  do  domain-specific 
services,  such  as  access  restricted  areas  of  SharePoint  or  access 
e-mail  if  I  —  if  I'm  on  a  machine  that's  not  part  of  the  domain  or 
if  I'm  logged  in  locally  and  I  try  to  open  up  my  e-mail  it's  —  I'm 
going  to  get  a  prompt  for  what  we  call  "domain  credentials."  It's 
then  going  to  ask  for  a  domain  user,  domain  password,  which  if  I 
don't  have  I'm  not  going  to  get  into  the  e-mail. 

Q.  Okay.  So  it  would  allow  you  to  —  you  would  need  the 

Active  Directory  to  get  into  anything  in  that  domain,  so  that  could 
be  shared  drives? 

A.  Potentially,  depending  on  how  the  shared  drive  was 

configured.  So  if  the  shared  drive  was  just  configured  with  a 
password,  then  all  you  need  is  a  password  to  connect. 

Q.  Is  that  typically  how  - 

A.  Sometimes.  It  really  depends  on  how  its  individual  user 

--  if  you're  at  home  on  your  home  machine,  you  open  up  file  Explorer, 
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right  click  "Share  your  Movies"  drive,  for  instance,  now  the  rest  of 
your  family  can  get  to  your  movies  drive  without  having  Active 
Directory  running  in  your  house. 

Q.  Right.  That's  not  how  the  Army  does  it,  though.  We 

don't  right  click  and  share  - 

A.  That's  not  our  - 

Q.  - folders. 

A.  That's  not  our  normal  standard  implemention,  but  it  still 

occurs  on  Army  networks. 

Q.  Right,  the  shared  drives  that  we're  used  to  as  users  are 

connected  to  the  —  are  connected  to  the  Active  Directory. 

A.  Again,  it  depends  on  the  —  on  the  system.  A  lot  of  the 

PM  systems  aren't  integrated  into  Active  Directory  until  2007,  I 
believe.  CPOF,  which  is  a  primary  tool.  Command  Post  of  the  Future, 
there's  a  Wikipedia  explanation,  a  real  brief  one  of  what  it  is,  but 
basically  it's  our  command  and  control  tool.  Until  recently,  that 
wasn't  using  Active  Directory  logins,  so  it  really  depends  on  the 
system  that  you're  talking  about;  but  for  the  average  workstation  of 
the  user,  the  average  workstation  would  be  part  of  the  domain,  unless 
there  was  a  reason  that  our  security  controls  would  break  it.  So  a 
good  example  of  that  would  be  the  S-l  system  —  I  don't  recall  the 
name  of  it  —  but  their  system,  if  we  implemented  security  — 
specific  security  controls  on  there,  their  system  would  no  longer 
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function,  people  couldn't  get  orders  and  that  type  of  thing,  so  we 
excluded  those  from  the  security  push  from  the  domain. 

Q.  And  shared  drive  is  another  example  of  something  that's 

connected  to  the  —  to  the  Active  Directory. 

A.  Yes,  but  you  could  have  either/or.  It  really  depended 

Q.  Okay. 

A.  -  on  who  set  up  the  share  and  how  they  set  it  up,  so 

normally  we  would  set  it  up  using  Active  Directory  accounts  to 
control  the  access  to  that  shared  drive,  but  it  didn't  have  to  be. 

Q.  And  do  you  have  any  knowledge  of  how  the  Active  Directory 

was  set  up  in  2009  and  2010  in  Iraq? 

A.  Other  than  how  we  train  all  the  Soldiers  to  do  it,  no. 

So  I  know  from  the  training  perspective,  we  train  all  of  the  people 
who  configure  the  systems,  we  train  them  all  at  Fort  Gordon  and 
that's  who  I  was  teaching  from  2008  through  2011. 

Q.  You  don't  have  any  direct  knowledge  of  how  much  time  or 

how  many  resources  were  used  to  input  users  into  the  GAL  in  2009  an 
2010,  the  Iraq  GAL. 

A.  So  I  can  - 

Q.  I  think  you  talked  about  your  time  at  1st  Cav,  but  you 

don't  have  any  knowledge  of  what  was  going  on  with  respect  to  how 
much  time  it  was  taking  to  do  those  tasks  in  2009  and  2010. 
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1  A.  So  it's  the  same  task,  same  —  whether  it's  me  or 

2  somebody  in  2d  Brigade,  10th  Mountain,  or  somebody  at  the  NOSC,  if 

3  they're  creating  user  accounts,  they're  certain  steps  you  have  to  do. 

4  That  process  is  about  10  to  15  minutes. 

5  Q.  It  would  take  you  less  time  than  it  would  take  me. 

6  A.  Sure,  but  it  —  it's  —  after  you  did  it  ten  times,  you 

7  would  do  it  as  fast  as  anyone  —  think  of  it  like  changing  a  tire. 

8  So  if  I  was  going  to  change  the  tire  on  my  car,  the  first  time  I  sat 

9  down  to  change  the  tire  on  my  car  it  would  take  me  a  while;  it  might 

10  take  you  a  while.  It  might  take  us  a  different  amount  of  time. 

11  After  we  changed  25  tires,  we'd  both  be  about  the  same  speed. 

12  Q.  Now  you  mentioned  on  direct  that  there  is  —  there  are 

13  automated  tools  that  can  be  used  to  do  that;  is  that  right? 

14  A.  There  are.  You  can  script  the  creation  of  user  accounts 

15  and  e-mail  boxes  into  Active  Directory.  Prior  exper  —  my  personal 

16  experience  is  most  of  us  admins  are  basically  too  lazy  to  do  it  and 

17  we  would  rather  click  2-  or  300  times  and  use  up  the  time  to  go 

18  through  and  do  that,  because  the  automated  tools,  a  lot  of  times 

19  it'll  take  us  6,  8,  10  hours  to  work  through  the  script  on  how  to 

20  properly  inport  all  that  data,  so  rather  than  taking  6  to  8  hours  to 

21  learn  how  to  write  the  script,  we  take  the  15  minutes  per  account,  we 

22  spread  it  out  between  three  or  four  guys,  and  they  just  click 

23  through. 
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1  Q.  It's  possible  that  there  might  be  someone  who  is  good  at 

2  writing  scripts  and  they  could  just  do  it  in  a  few  minutes  and  it'd 

3  take  a  lot  less  time. 

4  A.  Possible;  improbable. 

5  Q.  Okay. 

6  And  when  you  say  "writing  a  script,"  what  —  what  sort  of 

7  program  would  be  used  to  write  that  script? 

8  A.  So  with  Exchange,  Exchange  runs  on  Microsoft,  and  so 

9  PowerShell  is  the  primary  tool  that  we  use  now,  and  it's  very  —  it's 

10  a  com  —  it's  somewhat  complex  language.  It's  easy  to  begin  with  and 

11  then  gets  more  complex  as  you  go  on,  but  primarily  you  would  use 

12  PowerShell  as  the  scripting  language  because  that  would  be  what  was 

13  on  the  server,  on  the  Exchange  Server. 

14  Q.  So  there's  no,  per  se,  prohibition  against  using  scripts 

15  and  automating  processes  on  a  —  on  a  system. 

16  A.  There's  no  prohibition  against  using  PowerShell  script  on 

17  a  system,  but  other  scripting  languages,  such  as  Python  or  Ruby  or 

18  one  of  those  other  type  of  scripts  that  are  used  a  lot  wider,  those 

19  have  to  be  installed  and,  again,  you  have  to  have  prior  authorization 

20  from  your  G6  to  install  those  and  a  reason  why  you  need  those. 
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Q.  Right. 

Now  you  talked  about  when  you  were  talking  specifically 
about  the  GAL  in  this  case,  you  talked  about  some  of  the  threats  with 
respect  to  having  an  individual's  name. 

A.  Uh-huh  [affirmative  response] . 

Q.  And  if  you  have  the  name,  then  you  only  have  to  figure 

out  the  password,  - 

A.  Right. 

Q.  -  right?  That's  - 

A.  Yes. 


Q. 

A. 

Q. 

nondomain 


-  one  of  two  pieces  that  you  need. 

Half  the  puzzle,  yes. 

Half  the  puzzle.  Are  there  protections  to  prevent 
computer  from  logging  on  to  an  Army  domain? 


a 


A.  So  the  user  account  - 

Q.  So  if  I  - 

A.  I  may  not  be  understanding  your  question,  but  the  user 

account  identified  in  the  GAL  doesn't  have  anything  to  do  with  a 
computer  —  so  if  I  wanted  to  exploit  that,  for  instance,  there  may 
be  potential  blocks  —  if  it's  a  public-facing  server,  then  I  can  use 
that  account  to  log  in;  if  the  server  is  able  to  be  —  so  a  lot  of 
the  standard  deployments  was  the  SharePoint  Server  was  accessible 
from  the  garrison  because,  1st  Cav  as  an  example,  we  had  personnel  on 
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Fort  Hood  and  at  Iraq  that  were  accessing  the  SharePoint  Server,  so 
we  would  create  an  acount,  allowed  them  access  from  the  outside.  Due 
to  the  escalation  of  the  threat  in  the  cyber  domain,  we  have  since 
prevented  a  lot  of  that  type  activity,  but  3  —  2,  3  years  ago,  those 
firewalls  and  the  access  list  and  stuff  that  would  block  that  access 
normally  were  not  in  place. 

Q.  But  one  would  have  to  get  access  to  the  network  before 

they  could  try  to  figure  out  the  password,  correct? 

A.  Correct;  however,  again,  that  user  account  that's 

identified  in  the  GAL  was  also  your  U.S.  Army  mil  account,  so  I  could 
use  that  to  attempt  to  log  in  as  you  against  the  www.us.army.mil,  so 
until  we  went  to  actually  using  the  CAC  cards,  I  could  use  that  user 
information  not  just  to  access  the  tactical  environment  but  also  your 

WWW. 

Q.  Now  you  talked  about  sort  of  that,  I  guess,  trying  to 

hack  in  to  e-mails.  The  Army  e-mail  format's  pretty  well  known, 
isn't  it? 

A.  Urn  —  I  don't  know.  It's  —  it's  fully  known  to  us  in 

the  military.  I  mean,  I  see  it  all  the  time,  but  I  guess  the  best 
example  is  with  common  names,  right,  so  somebody  could  probably  guess 
mine  because  I'm  a  somewhat  unique  name,  but  for  Jeffrey  Smith  or, 
you  know,  Susan  Johnson,  there  might  be  a  large  number  of  those,  and 
so  then  what  is  —  what  is  their  sequence?  The  bigger  threat  is  that 
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those  accounts  with  that  GAL  identified  what  specific  server  they 
were  on,  so  not  just  the  U.S.  Army  mil  account,  but  if  they  could 
access  any  of  the  Iraq  servers  because  they  were  part  of  the  NIPRNet 
domain  on  the  unclassified  network,  if  you  could  reach  that  server, 
you  could  attempt  to  exploit  using  those  against  that  actual  server. 

Q.  Weren't  there  protections  in  place  to  prevent  someone 

from  accessing  those  servers  in  Iraq? 

A.  So,  again,  in  2007/2008,  no.  Now,  most  likely  there  are, 

yes . 

Q.  Any  knowledge  of  what  —  what  the  deal  was  in  2009/2010? 

A.  I  —  no. 

Q.  You  would  agree  with  me  that  it's  pretty  easy  to  find  the 

Army  e-mail  address  format,  though;  you  would  agree  with  that? 

A.  Sure. 

Q.  And  as  far  as  names,  it's  —  one  could  really  just  put 

John. Smith  and  then  John.Smithl,  John.Smith2,  John.Smith3,  and  all 
the  way  up. 

A.  Right,  so  the  real  danger  of  the  amount  of  information, 

we  call  this  "classification  by"  —  I  forget  the  other  term.  When  I 
take  a  bunch  of  similar  information  --  we  do  this  the  same  thing  with 
our  network  configurations  --  when  I  take  a  bunch  of  disparate 
network  configurations  which  are  unclassified  and  I  combine  them  all 
into  one  location,  then  that  document  actually  becomes  a  classified 
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document  because  of  the  amount  of  damage  and  the  potential  amount  of 
exploitation  that  could  happen  from  that.  So  - 

Q.  Well  the  GAL  wasn't  classified,  was  it? 

A.  No,  the  GAL  was  not  classified,  but  it's  more  than  —  the 

threat  is  more  than  that  single  e-mail  address,  because  although  I 
might  know  your  e-mail  and  my  e-mail,  here  I  now  have  a  list  of 
150,000  e-mails  and  so  I  may  not  be  able  to  get  two,  five,  ten  people 
to  click,  but  if  I  send  out  150,000  e-mails,  much  higher  chance  of 
somebody  clicking  that  link. 

Q.  You  talked  about  there  being  a  threat  that  someone  might 

try  and  send  an  e-mail  from  a  commander. 

A.  Uh-huh  [affirmative  response] . 

Q.  Commanders'  names  are  on  the  Web.  That's  - 

A.  They  are. 

Q.  -  common  knowledge. 


A.  Yes. 

Q.  And  you  also  mentioned  that  someone  might  take  the  unit's 

motto  and  try  variations  of  that  as  the  password. 

A.  Uh-huh  [affirmative  response] . 

Q.  Those  unit  mottos  are  also  on  the  Web. 

A.  Sure.  However,  again,  when  I  was  talking  about  Wget 

scraping  the  page,  I  used  that  as  an  example,  but  there's  a  lot  more 
information  in  there,  so  it  might  talk  about  the  commander  likes 
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fishing  or  the  commander  likes  to  snowboard  or  he,  you  know,  he  was 
stationed  here  or  there,  and  so  a  lot  of  those  words  —  and  this  is 
the  technique  that  we  use  even  today  —  scraping  that  entire  page 
gives  me  that  file  with  all  words  that  —  rather  than  running  a 
standard  dictionary  attack,  which  is,  you  know,  just  normal  words  in 
the  dictionary,  I  can  have  a  much  more  targeted  list  against  that 
individual  user  who  is  tied  to  that  whatever  it  is. 

ADC [CPT  TOOMAN] :  One  moment,  please.  Your  Honor. 

M J :  Uh-huh  [affirmative  response]. 

[Pause] 

Q.  Now  in  your  —  in  the  response  you  just  gave,  - 

A.  Uh-huh  [affirmative  response] . 

Q.  -  you're  assuming  that  Wget  was  used  to  pull  the  e- 

mail  addresses  in  this  instance,  in  this  case. 

A.  No.  So  Wget  scrapes  Web  sites.  I'm  unsure  as  to  the 

tool  that  extracted  the  GAL.  I  don't  think  it  was  Wget.  It  was  — 
there  are  other  tools  that  will  extract  that  type  of  data  out  of 
servers,  if  you  have  a  connection,  like  an  L  —  it's  called  an  "LDAP" 
query,  so  Lightweight  Directory. 

Q.  Now  when  you  talk  about  Wget  going  and  getting  a  Web 

page,  - 

A.  Uh-huh  [affirmative  response] . 
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Q.  -  it's  going  to  get  something  that's  in  the  open 


source,  right? 

A.  It  will  —  it  will  get  whatever  you  have  access  to,  so 


Q.  So  if  the  1st  Cav  Web  site  says  the  commander  likes 

fishing,  that's  something  that's  on  the  1st  Cav  Web  site. 

A.  Correct,  but  - 

Q.  It's  not  —  Wget's  not  grabbing  something  that's  not 

there . 

A.  Correct. 

Q.  In  that  instance. 

A.  But  if  - 

Q.  Okay. 

A.  -  if  I'm  in  a  tactical  environment  and  let's,  you 

know,  put  nefarious  hats  on,  for  instance,  if  I  use  Wget  to  scrape 
the  SharePoint  site,  I'm  going  to  download  the  entire  SharePoint  site 
with  all  of  the  files  that  make  up  that  SharePoint  site  that  I  have 
access  to. 


Q.  Now  you're  familiar  with  archive.org,  what's  known  as  the 

"Way  Back  Machine"? 

A.  Yes,  sir. 

Q.  And  Wget  is  the  type  of  program  that  is  used  to  populate 

that  Web  site.  It  goes  out  and  it  grabs  whole  Web  pages. 
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A.  Okay. 

MJ:  Do  you  know  that  or  not? 

WIT:  I  do  not  know  that  for  a  fact.  I  would  —  I  would  accept 

that  answer. 

MJ:  Do  you  know  it  or  not? 

WIT:  I  do  not;  no,  ma'am. 

MJ:  Move  on,  please. 

Q.  Now,  Chief,  there's  —  if  a  Soldier  wanted  to  download 

all  the  e-mails  from  his  brigade,  he  could  do  that. 

A.  What  do  you  mean  by  all  - 

Q.  If  he  wanted  to  get  all  the  e-mails  - 

A.  All  the  e-mail  addresses? 

Q.  All  the  e-mail  addresses  from  his  brigade,  he  could  do 

that . 

A.  He  could;  yes,  sir. 

Q.  There's  never  been  any  sort  of  direction  or  directive 

that  went  out  that  said  you  can't  download  e-mail  addresses  off  the 
GAL. 

A.  There  has  not. 

ADC [CPT  TOOMAN] :  No  further  questions;  thanks.  Chief. 

MJ:  Redirect? 

TC [MAJ  FEIN]:  Yes,  ma'am. 
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DIRECT  EXAMINATION 

Questions  by  the  trial  counsel  [CPT  FEIN] : 

Q.  Chief,  you  testified  a  few  moments  ago  about  common  Army 

e-mail  formats. 

A.  Yes,  sir. 

Q.  Are  the  user  names,  the  portion  that  comes  before  the  "@" 

symbol,  is  that  information  in  bulk  available  to  the  public? 

A.  It  is  not;  no,  sir. 

Q.  And  then  also  as  far  as  your  best  knowledge  about  the 

authority  Soldiers  have  of  downloading  the  Global  Address  List  book, 
is  it  your  experience  or  your  knowledge  of  the  regulations  that 
allows  someone  to  do  that  and  then  transmit  it  to  their  personal 
computer  and  use  it  for  personal  gain? 

A.  No,  sir.  So  part  of  the  configuration  for  the  Outlook 

Client  that  the  Army  uses  is  we  call  it  offline  --  the  offline 

address  book  and  the  offline  files,  if  you  become  disconnected  from 
the  network,  there's  a  cache  copy  on  your  machine  that  allows  you  to 
continue  working.  I  haven't  had  anybody  download  the  GAL  to  their 
personal  machine  or  to  a  government  machine;  and  moving  it  to  a 
personal  machine  would  be  against  the  rules.  We  don't  —  we  don't 
allow  moving  government-type  files  and  that  would  fall  under  a 
government  file,  to  your  personal  machine. 
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TC [MAJ  FEIN]:  Thank  you. 

No  further  questions,  ma'am. 

ADC [CPT  TOOMAN] :  One  or  two.  Your  Honor. 

RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Chief,  if  I  logged  on  my  personal  computer  and  wanted  to 

download  a  list  of  the  e-mails  of  all  the  other  judge  advocates  in 
the  United  States  Army  would  that  be  against  the  rules? 

A.  Would  it  be  against  the  rules,  no,  sir. 

ADC [CPT  TOOMAN]:  Okay,  thank  you. 

MJ:  Any  final  redirect? 

TC [MAJ  FEIN]:  Your  Honor,  may  I  have  a  moment? 

MJ:  Yes. 

[The  trial  counsel  conferred  with  cocounsel.] 

REDIRECT  EXAMINATION 

Questions  by  the  trial  counsel  [CPT  FEIN] : 

Q.  Chief,  in  reference  to  the  very  last  question,  - 

A.  Yes,  sir. 

Q.  -  again,  based  off  your  personal  knowledge,  is  a 

Soldier  authorized  to  use  their  NIPR  machine  to  download  the  entire 
GAL,  move  it  to  their  personal  computer  for  the  purposes  of  giving  it 

to  a  corporation,  a  company,  - 

A.  Right,  no,  sir. 
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Q.  -  someone  outside  the  U.S.  Government? 

A.  And  so  it  goes  to  intent.  What  do  you  intend  to  do?  If 

you  are  downloading  the  GAL  to  use  on  your  personal  machine  because 
your  machine  is  going  in  for  repair,  it  may  be  okay  to  have  select 
individual  addresses.  There's  —  there's  not  a  reason  to  have  the 
entire  GAL  on  your  personal  machine  - 


Q. 

Why? 

A. 

- that 

I 'm  aware 

of . 

Q. 

Why? 

A. 

Well,  the 

potential 

for  abuse. 

I  don't  know  that  your 

machine  is  base  lined  or  is  kept  in  the  appropriate  patches,  so  if 
your  machine  is  compromised  and  you've  moved  the  entire  GAL  from  any 
theater  down  to  the  brigade  to  your  personal  machine  and  your 
personal  machine  is  compromised  because  your  kid  plays  Whack  a  Mole 
on  a  site,  now  the  enemy  has  that  address  list  and  can  exploit  — 
again,  back  into  the  whole  spear  phishing  and  targeting  of  us,  so 
that's  why  we  don't  allow  people  to  do  that.  That's  also  why  on  the 
AKO  site,  all  Army  users  are  allowed  to  install  antivirus  software, 
Norton  antivirus  and  all  that  on  your  machine.  We  want  person  — 
personnel's  machines  to  be  protected  at  home.  They'll  issue  you  a 
CAC  card  so  you  can  check  your  mail,  but  it  goes  to  intent  and  that's 
one  of  the  big  things  in  the  cyber  domain  is  if  you  have  physical 
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access,  it's  really  hard  to  stop  a  maliciously  intended  person 
because  they  can  do  things  regardless  of  technical  prevention. 

Q.  And  in  2008,  when  you  last  left  Iraq,  was  a  user  —  did 

the  user  have  the  capability  on  their  personal  computer  to  log  on  to 
the  USF-I  domain  and  download  e-mails? 

A.  Negative,  because  if  - 

Q.  For  their  own  personal  use. 

A.  -  if  you  connected  your  personal  machine  into  the 

government  network,  that  was  treated  as  a  —  as  a  spillage  basically 
for  us  at  1st  Cav,  and  it  was  the  same  as  if  you  took  your  NIPRNet 
machine  and  plugged  it  into  the  SIPRNet;  you  would  get  a  visit  from 
the  G6,  "Why  are  you  plugging  your  personal  box  in  here?"  A  report 
and  everything  generated  - 

Q.  What  about  at  that  time  through  a  WebMail  interface  that 

connects  to  the  Exchange  in  Iraq;  did  that  exist? 

A.  It  did  not  exist  to  my  knowledge. 

TC [MAJ  FEIN]:  Thank  you. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  Let  me  just  target  you  there.  It  did  not  exist  in  2008 

or  it  did  not  exist  in  2009  and  2010? 

WIT:  I  cannot  speak  definitively  that  it  did  not  exist  in  2009 

and  2010,  but  that  was  not  part  of  our  normal  configuration  to  allow 
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WebMail  access  because  of  the  attack  factor;  and  if  you  did  access 
your  mail  through  the  WebMail,  then  the  address  book  is  built  into 
the  WebMail  and  you  wouldn't  need  it  on  your  personal  box  because 
it's  part  of  the  WebMail  Client. 

MJ:  I  asked  a  follow-up  to  yours.  Do  you  want  to  —  have  any 

follow-up  questions  based  on  what  I  have  and  then  I'll  turn  it  over 
to  you? 

TCtMAJ  FEIN]:  Yes,  ma'am. 

REDIRECT  EXAMINATION 

Questions  by  the  trial  counsel  [CPT  FEIN] : 

Q.  As  recently  as  today  and  after  2010,  is  there  a  WebMail 

interface  for  the  Iraq  domain? 

A.  Not  to  my  knowledge. 

TC [MAJ  FEIN]:  Thank  you. 

MJ:  Go  ahead. 

ADC [CPT  TOOMAN] :  Thank  you.  Your  Honor. 

RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Chief,  what  rule  says  that  a  user  can't  download  e-mail 

addresses? 

A.  There's  —  again,  there's  not  a  rule  to  prevent  you  from 

downloading  the  e-mail  addresses,  but  you  would  have  to  address  the 
intent.  Again,  we  don't  write  rules  for  everything.  There's  not  a 
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rule  saying  you  can't  download  every  document  on  the  SharePoint 
Server,  but  if  you  did  that,  you  would  get  a  visit  —  normally,  you 
would  get  a  visit  due  to  the  amount  of  data  that  you're  collecting, 
the  question  would  be  why  do  you  need  that  amount  of  data,  so  the 
same  principle  applies  to  the  Global  Address  List,  why  are  you  —  the 
command,  if  that  was  scrutinized,  and  they  would  say,  "Why  are  you 
downloading  175,000  e-mail  addresses  for  your  personal  thing  where 
anytime  you  would  use  those  addresses  you  would  be  connected  to  the 
military  system  that  would  have  the  address  book  there  for  you  and 
you  wouldn't  need  it  on  your  —  on  your  personal  machine. 

Q.  Chief,  if  your  intent  was  I  just  want  to  see  if  I  can  do 

it,  that'd  be  okay,  wouldn't  it? 

A.  It  wouldn't  necessarily  be  okay;  no,  sir.  We  don't  allow 

people  to  just  do  things  because  they  want  —  again,  that  —  do  I 
download  the  entire  SharePoint  Server,  and  I  use  that  because  it  — 
it's  another  big  part  of  our  Enterprise  services.  So  if  I  allow  — 
if  I  go  back  to  the  secure  facility,  to  the  Nolan  Building,  and  I 
download  the  entire  SharePoint  Server  that's  on  the  SIPRNet,  I  will 
get  a  visit  from  my  S-2  guys  and  say,  "Why  are  you  downloading  all 
this  data;  what  are  you  planning  on  doing  with  it?"  because  the 
logical  assumption  is  you  are  going  to  do  something  with  all  of  that 
data,  so  the  same  principle  applies  to  the  GAL. 
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Now,  there's  not  a  specific  monitoring  tool  that  would 
watch  —  there's  not  a  technical  implementation  to  watch  who's 
downloading  the  entire  Global  Address  List  because  it's  a  feature 
that  most  people  don't  download  and  it's  not  a  serious  system 
inconvenience  when  you  download  the  whole  GAL  because  it's  only  a  few 
meg,  but  if  you  were  to  download  the  entire  SharePoint  Server  that 
you  had  access  to,  you  would  probably  get  a  visit. 

Q.  So  there's  not  —  there's  not  a  big  suck  on  resources  to 

download  the  GAL. 

A.  There's  not  a  huge  impact  on  resources  to  do  the  physical 

downloading  of  the  GAL,  correct. 

Q.  And  there's  no  rule  that  says  if  your  intent  is  just  I 

want  to  see  if  I  can  do  it,  there's  not  a  rule  that  says  you  can't. 

A.  There's  not  a  rule  written  that  says  you  cannot. 

Q.  And  then  if  you  deleted  it  after  you  figured  out  how  to 

do  it,  that  would  suggest  that  the  intent  was  - 

TC [MAJ  FEIN]:  Objection,  Your  Honor  —  excuse  me.  Your  Honor  — 
as  speculative. 

MJ:  Well  let's  hear  the  question. 

Q.  if  the  —  if  the  file  was  deleted  after  it  was  downloaded 

and  it  was  done,  what  would  that  say  to  you  about  the  intent? 

MJ:  Well  —  all  right,  don't  answer  that. 

ADC [CPT  TOOMAN] :  Nothing  further. 


8930 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


Q  O 


MJ:  Redirect? 

TC [MAJ  FEIN]:  No,  Your  Honor. 

CDC [MR.  COOMBS]:  Your  Honor,  just  on  that  last  question,  and  I 
understand,  that  was  going  towards  the  fact  that  he's  a  cyber  threat 
expert,  so  he  talked  about  intent;  he  talked  about  whether  it  would 
be  wrong  or  right,  depending  upon  the  intent,  and  so  as  a  cyber 
threat  expert,  if  what  he  saw  was  the  person  downloaded  it  then 
deleted  it,  would  that  - 

MJ:  And  that  would  give  him  absolutely  no  idea  of  what  the 

person's  intent  was. 

CDC [MR.  COOMBS]:  But  from  a  cyber  threat  standpoint,  then,  when 
he's  —  when  he's  testifying  that  something  might  be  wrong  if  you  did 
a  certain  act,  in  this  instance  he's  saying,  well,  it's  — 
downloading  the  GAL  is  not  a  problem  but  if  you  have  all  this 
information  we'd  want  to  know  why  you  have  that,  and  then  that  might 
cause  G6  or  somebody  to  come  to  you  and  ask  you  a  question,  like,  why 
are  you  doing  this?  And  so  in  this  instance,  the  issue  here  is 
steal,  purloin,  knowingly  convert,  so  if  the  facts  were  that  the 
information  was  deleted  immediately,  what  would  that  tell  him  as  a 
cyber  expert,  so  that's  what  that  question  was  going  towards. 

MJ:  All  right.  It's  still  overruled. 
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EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  I  do  have  a  question  for  you,  though.  I'm  still 

confused.  I  thought  you  answered  to  the  government  a  little  bit 
earlier  that  if  a  Soldier  wanted  to  download  the  e-mails,  all  of  his 
e-mail  addresses  from  the  brigade  —  or  you  answered  to  the  defense 
—  the  Soldier  could  do  it.  There's  no  directive  saying  you  can't. 

A.  There  —  correct,  ma'am.  There  is  not  a  rule  —  there  is 

not  a  specific  rule  that  says  you  are  not  allowed  to  download  the 
entire  GAL  —  the  entire  address  list. 

Q.  Now  are  you  talking  about  downloading  on  a  NIPRNet 

machine  or  downloading  on  a  personal  machine  or  is  there  any 
difference? 

A.  There  is.  When  you  transfer  military  data  to  personal 

machines,  there  are  regulations,  and  I  --  I'm  sorry.  I  can't  quote 
them  for  you,  but  there  are  regulations  that  do  not  allow  us  to  move 
military  data  to  personal  machines.  I  can't  just  take  —  download 
the  SharePoint  site's  a  good  example  because  it  has  a  bunch  of 
unclassified  data,  so  it  might  have  alert  rosters  and  PowerPoints  — 
slides  and  briefings  and  such.  It  might  have  a  briefing  from  the 
NSA,  and  I  download  all  this  data  on  my  personal  machine  —  I  mean  to 
a  government  machine.  When  I  move  it  off  of  that  government  machine 
to  my  personal  machine,  the  question  comes  up:  Why  are  you  doing 
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that?  And  so  there  are  rules  that  prevent  us  from  moving  data  from  a 
government  machine,  and  that's  why  you  can't  use  thumb  drives 
anymore;  you  can't  burn  CDs  on  unclassified  machines. 

Q.  Do  you  know  what  those  rules  are  and  where  they  come 

from? 

A.  I  do  not.  AR  25-2,  somewhere,  governs  that,  but  there's 

also  local  policies  that  would  be  implemented  that  would  prevent 
that.  I  can  research  that,  if  needed. 

Q.  No,  no;  that's  okay. 

A.  Okay.  Yes,  ma'am. 

MJ:  Any  follow-up  based  on  mine? 

TC [MAJ  FEIN]:  No,  ma'am. 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  All  right. 

[Pause] 

MJ:  Temporary  or  permanent  excusal? 

TC [MAJ  FEIN]:  Temporary,  ma'am. 

ADC [CPT  TOOMAN]:  No  objection. 

MJ:  All  right. 

[The  witness  was  warned,  temporarily  excused,  and  withdrew  from  the 
courtroom . ] 

MJ:  Just  for  the  record,  as  part  of  the  —  my  overruling  the 

defense  objection,  I'm  not  going  to  consider  any  of  this  witness's 
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testimony  with  regard  to  it  depends  on  intent  and  all  of  the  rest  of 
that.  He  said  there's  rules  regarding  the  transfer  of  data  from  a 
NIPRNet  computer  to  a  personal  computer.  He  knows  where  they  are  but 
he  doesn't  know  what  they  are;  that  was  my  understanding  of  his 
testimony. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

ADC [CPT  TOOMAN] :  Sounds  right.  Your  Honor. 

MJ:  Okay.  Anything  else  we  need  to  address  today? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  Okay,  now  we  still  need  to  talk  about  tomorrow.  Do  you 

want  to  take  a  brief  recess  and  then  come  back  on  the  record  and 
decide  a  way  ahead? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  All  right.  How  long  do  you  think  we  need? 

CDC [MR .  COOMBS]:  Ten  minutes.  Your  Honor. 

MJ:  Okay. 

Court  is  in  recess  and  plan  we'll  begin  somewhere  between 
10  minutes  of  and  6  o'clock,  depending  on  how  long  the  —  this 
discussion  takes.  Court  is  in  recess. 

[The  court-martial  recessed  at  1748,  17  June  2013.] 

[The  court-martial  was  called  to  order  at  1809,  17  June  2013.] 
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MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  court  last  recessed  are  again  present  in 
court . 

All  right,  counsel  and  I  met  in  an  R.C.M.  802  conference 
to  talk  about  the  way  ahead.  First  of  all,  we'll  --  we  will  be 
coming  back  on  the  record  tomorrow  morning  at  0930  for  oral  argument 
on  the  admissibility  of  certain  prosecution  exhibits  that  the  defense 
has  had  hearsay,  authentication,  and  relevance  objections  to;  and 
there  was  some  confusion  as  to  exactly  what  exhibits  we  were  talking 
about.  I  know  we're  talking  about  Prosecution  Exhibit  109.  What  are 
the  other  ones? 

TC [MAJ  FEIN]:  31  and  32,  ma'am. 

MJ:  All  right,  so  33  and  34  are  not  being  offered  by  the 

government? 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  Okay. 

[Pause]  All  right.  Defense,  I  assume  since  you  cited  33 
and  34  as  well,  that  your  arguments  remain  the  same  for  —  if  those 
two  exhibits  are  taken  out. 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  Okay.  And  that  will  be  at  0930  tomorrow. 

We  also  discussed  the  way  ahead  after  that.  Right  now 
the  parties  are  negotiating  additional  stipulations  of  expected 
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testimony.  The've  —  they're  in  draft  form  and  they've  got  to  go 
back  —  both  sides  have  to  agree  on  a  stipulation  of  expected 
testimony,  as  does  PFC  Manning,  in  order  for  them  to  be  introduced  as 
evidence  in  lieu  of  witness  testimony;  that  takes  time.  And  the 
parties  have  advised  me  --  Major  Fein,  why  don't  you  explain  for  the 
record  what  the  parties  would  like  to  do? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

Your  Honor,  the  defense  and  prosecution  have  tentatively 
agreed  to  enter  into  17  more  stipulations  of  expected  testimony,  and 
based  on  the  volume  of  the  individual  stipulations,  it  will  take  both 
parties  additional  time  in  order  to  discuss  the  stipulations,  come  to 
an  agreement,  and  then  also  provide  certain  ones  to  certain 
government  organizations  to  have  classification  reviews  completed,  so 
the  United  States  and  defense  came  together  and  proposed  that  after 
tomorrow's  oral  argument  the  court  recesses  until  next  Tuesday,  which 
would  provide  both  parties  adequate  time  by  the  end  of  this  week  to 
have  the  stipulations  completed  and  then  to  send  those  to  the 
different  government  organizations  for  them  to  come  back  based  off  a 
court  order  by  Wednesday  of  next  week. 

If  we  reconvene.  Your  Honor,  on  Tuesday  of  next  week, 
it'll  be  a  status  hearing  on  the  stipulations  and  any  other  issues 
that  might  arise;  and  the  goal  then  being  on  Wednesday,  the 
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government  resumes  its  case  in  chief  by  calling  the  next  set  of 
witnesses  and  reading  the  stipulations  onto  the  record. 

MJ:  All  right,  is  that  the  defense's  understanding,  as  well? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

MJ:  All  right. 

And  the  court  did  discuss  with  the  parties  the  —  this 
additional  review  by  the  other  agencies.  I  mean,  that's  between  the 
government.  You  can  certainly,  you  know,  have  whoever  you  want  to 
review  it,  but  it's  not  going  to  delay  the  court,  so  I'm  going  to 
have  a  court  order  coming  out  saying  that  it's  going  to  be  3  business 
days  and  that's  it. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Okay,  so  I'll  draft  that  order  today.  We'll  put  that  as 

an  appellate  exhibit  tomorrow. 

Is  there  anything  else  we  need  to  address  at  this  point? 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

TC [MAJ  FEIN]:  No,  Your  Honor. 

MJ:  All  right,  the  only  thing  I'm  thinking  of  is  based  on  the 

testimony  of  the  last  witness,  I  had  asked  the  parties  to  prepare 
briefs  on  value  and  money,  and  since  the  government's  withdrawn  that 
part  of  his  testimony,  does  either  side  see  the  need  for  those  briefs 
at  this  time? 

TC [MAJ  FEIN]:  No,  ma'am. 
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CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  All  right,  so  I  won't  require  them. 

TC [MAJ  FEIN]:  Now,  I'm  sorry.  There  is  one  other 
administrative  issue.  Over  the  weekend  there  was  an  e-mail  between 
the  parties  and  the  court  about  not  calling  sentencing  witnesses 
prior  to  8  July  and  just  put  on  the  record  that  the  United  States 
based  off  the  defense  not  objecting  and  the  court  approving  that  the 
United  States  did  notify  all  sentencing  witnesses  or  is  in  the 
process  of  notifying  prosecution  and  defense  sentencing  witnesses 
that  they  would  not  be  called  any  earlier  than  8  July. 

MJ:  All  right,  that's  fine;  and  that  was  a  series  of  e-mails 

that  went  back  and  forth.  The  defense  had  no  objection.  And,  again, 
looking  at  the  schedule  now  and  motions  that  —  certain  motions  that 
may  arise  and  the  length  of  the  potential  defense  case,  you  know,  we 
may  not  even  be  at  that  point  yet  by  July  8th,  so  we'll  have  to  see 
how  we  address  this  as  we  go  along. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR .  COOMBS]:  Yes,  Your  Honor. 

MJ:  Anything  else? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  All  right,  court  is  in  recess. 

[The  court-martial  recessed  at  1813,  17  June  2013.] 
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[The  court-martial  was  called  to  order  at  0937,  18  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
Court.  All  right.  The  Court  has  prepared  an  order.  Review  of 
Stipulations  of  Expected  Testimony,  dated  18  June  2013,  with  a 
suspension  date  of  3  duty  business  days. 

1.  To  date  the  government,  defense,  and  accused  have 
entered  stipulations  of  expected  testimony  of  33  government 
witnesses.  Those  stipulations  have  been  admitted  into  evidence  and 
read  on  the  record.  The  parties  notified  the  Court  they  anticipate 
entering  into  approximately  17  additional  stipulations  of  expected 
testimony  by  21  June  2013. 

2.  The  government  notified  the  Court  that  government 
organizations  with  equities  involved  have  requested  to  review  certain 
stipulations  of  expected  testimony  before  they  are  admitted  into 
evidence  and  read  on  the  record.  The  government  wishes  to 
accommodate  this  request  and  proposes  to  have  those  stipulations 
signed  by  the  parties  before  sending  them  to  the  government 
organizations  for  review.  Defense  does  not  object. 

ORDER: 

1.  The  court  approves  the  government's  request  for  the 
requested  reviews  so  long  as  the  reviews  do  not  unreasonably  delay 
the  trial.  All  reviews  of  stipulations  of  expected  testimony  will  be 
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completed  within  3  duty  or  business  days  after  the  party  and  the 
accused  enter  into  the  stipulation. 

2.  This  order  is  issued  under  the  court's  authority  to 
regulate  the  proceedings  under  Rule  for  Court-Martial  801  and  to 
compel  the  production  of  witnesses  under  Rule  for  Court-Martial  703. 
Should  any  government  organization  request  to  review  a  stipulation 
and  fail  to  conduct  this  review  within  this  timeframe,  the  government 
will  elect  to  offer  the  stipulation  into  evidence,  call  the  subject 
witness,  or  forego  the  use  of  the  testimony  in  the  government's  case 
in  chief. 

So  ordered  this  18th  day  of  June,  2013. 

Please  add  that  as  the  next  appellate  exhibit  in  line.  Is 
there  anything  else  we  need  to  address  before  we  proceed  to  argue  the 
motion? 

TC [MAJ  FEIN]:  Your  Honor,  just  two  administrative  issues. 

First,  yesterday  what  has  been  marked  as  Appellate  Exhibit  572  the 
government  filed  with  the  Court,  witness  list  order  and  proposed  PEs 
of  prosecution  witnesses,  dated  17  June  which  included  the  17 
stipulations  you  just  referenced  in  your  order,  that's  been  marked  as 
Appellate  Exhibit  572.  Also  this  morning.  Your  Honor,  as  of  this 
morning's  start  of  Court  there  are  nine  media  members  in  the  media 
operation  center,  one  stenographer  at  the  media  operation  center. 
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four  members  of  the  media  in  the  courtroom,  four  spectators  in  the 
courtroom,  and  currently  no  one  in  the  trailer  but  it  is  available. 

MJ:  All  right.  Thank  you.  At  issue  are  the  defense  objections 

to  Prosecution  Exhibits  31,  32,  and  109,  Prosecution  Exhibits  for 
Identification.  And  I  believe  the  objections  were  authentication, 
hearsay  and  relevance.  Is  that  correct? 

CDC [MR.  COOMBS]:  That's  correct,  ma'am. 

MJ:  For  all  three  of  the  exhibits,  the  same  objection? 

CDC [MR.  COOMBS]:  Yes,  ma'am. 

MJ:  All  right.  I've  already  admitted  Prosecution  Exhibit  110 

for  Identification.  Government,  as  you  have  the  burden  of  proof, 
would  you  like  to  proceed? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

MJ:  Let's  go  exhibit  by  exhibit  if  we  will.  Before  you  start, 

can  I  ask.  I'll  ask  the  defense  this  as  well,  for  Prosecution 
Exhibits  31  and  32  for  Identification  will  the  arguments  be  the  same? 

ATC [CPT  von  ELTEN]:  Similar,  ma'am. 

MJ:  But  different? 

ATC [CPT  von  ELTEN]:  But  different. 

MJ:  All  right.  Go  ahead. 

ATC [CPT  von  ELTEN]:  Your  Honor,  the  United  States  believes  it's 
made  a  prima  facie  showing  of  authentication  and  therefore  all 
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defense  arguments  should  go  to  weight  and  not  admissibility.  I'll 
start  off  with  the  Internet  archive  result,  ma'am. 

MJ:  I  would  prefer  if  you  would  do  Prosecution  Exhibits  31  and 

32  first. 

ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

MJ:  Can  you  do  that? 

MJ:  Thank  you. 

ATC [CPT  von  ELTEN]:  Prosecution  Exhibit  31  for  Identification, 
ma'am,  is  a  Tweet.  The  United  States  offers  it  as  a  Tweet  from 
WikiLeaks  requesting  .mil  email  addresses.  To  lay  out  the  history  of 
how  Agent  Mander  collected  it.  Agent  Mander  testified  that  he 
collected  that  information  and  witnessed  in  two  different  ways. 

First,  Agent  Mander  testified  that  he  went  to  WikiLeaks 
personally  a  year  ago  —  WikiLeaks  Twitter  account  at  Twitter.com, 
and  actually  saw  —  saw  the  Tweet  located  directly  on  the  Twitter 
website.  Then  Agent  Mander  testified  that  he  more  recently  went  to  a 
Google  cache  version  and  searched  for  it  and  located  it.  He 
testified  that  he  compared  it  to  and  found  the  contents  to  be  the 
same.  Agent  Mander  testified  that  he  is  familiar  with  Google  cache 
as  something  that  saves  the  result  and  makes  it  accessible  for 
viewing.  Agent  Mander  also  testified  that  he  uses  Google  cache  in 
his  official  capacity  as  a  CID  agent  and  uses  it  regularly. 
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1  Therefore,  Agent  Mander  authenticated  the  Prosecution  Exhibit  31  for 

2  Identification  based  on  his  own  personal  knowledge. 

3  Furthermore,  Agent  Mander  testified  about  the  identifying 

4  characteristics  of  the  email  Tweet.  He  talked  about  the  logo,  the 

5  location  where  he  found  it  on  Twitter.com,  the  account  name  being 

6  WikiLeaks,  and  the  content  of  the  Tweets  all  being  relevant,  things 

7  that  would  make  it  a  WikiLeaks  lead.  Furthermore,  the  Twitter 

8  account  under  WikiLeaks  is  deemed  as  1.8  million  followers  making  it 

9  more  likely  that  it  is  —  making  it  WikiLeaks  account  making  it  a 

10  worldly  WikiLeaks  account.  Because  the  Tweet  is  authenticated  under 

11  Agent  Mander' s  testimony,  any  evidence  of  the  defense  wishes  to  offer 

12  should  go  to  weight,  not  admissibility.  As  far  as  hearsay.  Your 

13  Honor,  the  United  States  offers  PE  31  for  Identification  for  effect 

14  on  listener.  Specifically  we're  offering  it  to  explain  PFC  Manning's 

15  course  of  action.  On  7  May  2010,  WikiLeaks  published  a  Tweet  asking 

16  for  .mil  email  addresses.  Special  Agent  Williamson  testified  that 

17  there  were  five  files  related  to  the  .mil  email  addresses  found  on  a 

18  computer  to  which  PFC  Manning  had  access.  The  files  were,  quote, 

19  "created  and  deleted  on  13  May  2010,  and  in  between  creating  and 

20  deleting  these  files  the  user  of  the  Peter  Bigelow  account  also 

21  viewed  the  Bradley  E.  Manning  Gmail  email  inbox." 

22  MJ:  Who  is  the  witness  who  testified  to  this? 

23  ATC [CPT  von  ELTEN] :  Special  Agent  Williamson,  ma'am. 
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MJ:  Okay. 

ATC [CPT  von  ELTEN] :  The  email  Tweet  is  relevant  because  it  makes 
it  more  likely  that  PFC  Manning's  intent  was  to  compromise  the  .mil 
email  addresses  and  information  related  to  them.  The  evidence  also 
corroborates  PFC  Manning's  admissions  that  he  performed  significant 
research  into  WikiLeaks  and  that  he  --  and  that  he  talked  about 
compromised  information  with  Mr.  Lamo .  Prosecution  Exhibit  32  for 
Identification,  the  authentication  arguments  are  the  same,  ma'am. 

The  hearsay  explanation  is  slightly  different.  The  United  States  is 
offering  this  to  explain  the  nature  of  WikiLeaks  possession  and  it's 
appropriate  in  this  case  for  non-hearsay  use  from  United  States  v. 
Ellison . 

MJ:  Stop  there  again.  What's  Prosecution  Exhibit  32? 

ATC [CPT  von  ELTEN]:  It's  the  video  Tweet,  WikiLeaks  saying  they 
have  an  encrypted  video  of  bomb  strikes  on  civilians  and  that  they 
need  Secret  - 

MJ:  They  have  encrypted  video. 

ATC [CPT  von  ELTEN]:  Of  bomb  strikes  on  civilians  and  they  need 
super  computer  time. 

MJ:  And  the  non-hearsay  basis  is? 

ATC [CPT  von  ELTEN]:  The  non-hearsay  basis  is  explanation  of  the 
nature  of  the  possession  of  WikiLeaks.  WikiLeaks  admits  to  having 
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the  video  and  needing  to  decrypt  it  which  is  evidence  that  they  don't 
have  lawful  possession  of  it.  This  is  relevant  because  - 

MJ:  How  does  that  not  go  to  the  truth  of  the  matter  asserted? 

ATC [CPT  von  ELTEN] :  Because  under  United  States  v.  Ellison, 
possession  of  stolen  goods,  the  explanation  of  the  nature  of  it  is 
relevant  —  is  admissible  in  a  non-hearsay  way  as  part  of  the  res 
gestae. 

MJ:  What  does  res  gestae  have  to  do  with  hearsay? 

ATC [CPT  von  ELTEN]:  Your  Honor,  this  case  the  case  history 
discusses  res  gestae  which  talks  about  many  cases  historical 
forerunners  to  modern  hearsay  objections,  and  in  this  case  the 
statement  about  the  possession  and  the  nature  of  it  is  treated  as 
almost  an  operative  fact. 

MJ:  So  this  is  United  States  v.  Elliott  you're  talking  about? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  Sorry.  Elliott. 

MJ:  The  one  cited  in  your  brief. 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  23  M.J.  1. 

MJ:  Okay. 

ATC [CPT  von  ELTEN]:  It's  relevant  because  it's  evidence  of  the 
timing  of  transmission  by  PFC  Manning.  The  transmission  is  analogous 
to  a  stolen  good  here  in  the  WikiLeaks  case  because  they  had 
unauthorized  possession  of  something.  The  evidence  corroborates  PFC 
Manning's  admissions  where  he  explicitly  says  to  Mr.  Lamo  that 
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WikiLeaks  has  the  video.  PFC  Manning  tells  Mr.  Lamo  that  WikiLeaks 
has  an  encrypted  video.  PFC  Manning  also  tells  Mr.  Lamo  that 
WikiLeaks  is  unable  to  decrypt  the  video. 

The  Tweet  is  also  relevant  to  the  timing  of  the 
transmission.  United  States  has  charged  transmission  between  1 
November  and  8  January  of  the  BE22PAX  video.  United  States  has 
presented  evidence  that  the  video  was  encrypted,  had  the  same  hash 
value  as  the  video  in  the  CENTCOM  server,  and  that  video  existed 
outside  of  the  United  States'  possession.  And  this  Tweet 
corroborates  that  as  well.  This  is  also  relevant  to  PFC  Manning's 
knowledge  of  WikiLeaks'  plan  to  compromise  classified  information. 

PFC  Manning  did  extensive  research  on  WikiLeaks  on  the  SIPRNET ,  on 
Intelink,  he  talked  about  it  with  Mr.  Lamo,  he  talked  about  it  with 
Press  Association,  and  Mr.  Johnson  testified  that  Press  Association 
has  been  associated  with  Mr.  Assange. 

MJ:  You  also  have  that  it's  relevant  to  PFC  Manning's  knowledge 

of  the  scope  of  the  disclosure  for  Article  104.  Please  talk  about 
that . 

ATC [CPT  von  ELTEN] :  Well,  ma'am,  if  WikiLeaks  has  a  plan  to 
compromise  classified  information,  and  PFC  Manning  is  aware  of  that 
plan,  it  makes  his  knowledge  of  when  he  gives  information  to 
WikiLeaks  more  likely  that  he  knows  what  the  effect  of  those 
compromises  will  be.  Furthermore,  when  there's  evidence  of  a  plan  it 
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is  evidence  that  evidence  can  also  be  used  as  proof  of  subsequent 
acts.  So  in  this  case  where  WikiLeaks  has  a  plan  to  compromise 
information,  that  is  then  evidence  that  they  will  compromise 
classified  information  in  the  future  going  forward.  And,  ma'am, 
Special  Agent  Mander  also  testified  that  both  of  the  Tweets  are  still 
presently  on  Twitter  and  that  he  —  as  of  the  first  week  of  June 
2013. 

MJ:  All  right. 

ATC [CPT  von  ELTEN] :  Regarding  Prosecution  Exhibit  109  for 
Identification  which  is  the  Internet  archive  record,  ma'am.  United 
States  offers  that  as  a  self-authenticating  record  under  902(11). 
United  States  has  presented  an  affidavit  stating  that  the  record  was 
made  at  or  near  the  time  of  the  occurrence  set  forth,  it  was  kept  in 
the  regular  course  of  business  and  it  was  made  as  part  of  a  regularly 
conducted  activity. 

MJ:  So  are  you  offering  it  as  a  business  record? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  Which  goes  into  my  next  point 
that  it  qualifies  under  business  records  exception  hearsay  for  the 
same  reasons. 

MJ:  The  defense  brief  talks  about  the  organization  having, 

using  a  different  standard  affidavit  than  the  one  they  used  in  this 
case.  Can  you  talk  about  that? 
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ATC [CPT  von  ELTEN] :  Yes,  ma'am.  The  United  States  gave  the 
Internet  Archive  a  standard  military  justice  form,  gave  it  to  them, 
gave  them  time  to  review  it  and  they  sent  it  back  to  us.  It  was  just 
for  the  expediency  to  use  the  forms  we  used  in  normal  practice.  The 
content  of  the  form  provided  by  the  United  --  or  the  affidavit 
provided  by  the  United  States  is  substantially  similar  to  the  content 
of  the  form  of  the  sample  affidavit,  and  it's  also,  the  content  is 
the  same  for  self-authentication  purposes  as  the  affidavit  presented 
by  the  defense  as  well. 

MJ:  Number  2  in  the  attestation  certificate  says,  'To  the  best 

of  —  That  the  electronic  systems  involved  can  accurately  record  and 
reflect  the  files  were  captured  at  or  near  the  time  of  the  date 
reflected  in  the  URL  assigned  to  each  file  by  virtue  of  the 
automatic  transfer  of  electronic  data.'  And  then  number  3  says, 

'Such  records  were  captured  by  Internet  Archive  or  received  from 
third-party  donors.'  How  does  this  affidavit  accurately  reflect  what 
a  third-party  donor  gave? 

ATC [CPT  von  ELTEN]:  Ma'am,  there  are  two  points.  One:  The 
Internet  archive  integrates  these  results  into  their  own  and 
therefore  adopts  them  and  under  - 

MJ:  But  how  does  that  show  that  they're  accurate?  They  just 

take  whatever  the  third-party  gives  them. 
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ATC [CPT  von  ELTEN] :  Also  in  United  States  or  in  Novak,  which  is 
cited  by  the  defense,  the  case  discusses  how  these  third-party 
donations  originate  and  it's  done  by  web  crawling  crawlers  which  are 
automated  processes,  and  automated  processes  have  a  lower  standard  of 
authenticity  under  Lubich. 

MJ:  Lubich  addressed  web  crawlers? 

ATC [CPT  von  ELTEN]:  It  addressed  automated  processes. 

MJ:  So  they  have  a  lower  standard  of  authenticity? 

ATC [CPT  von  ELTEN]:  Ma'am,  in  Lubich  an  unknown  analyst  created 
a  report  or  created  —  or  put  information  on  the  CDs  that  an  agent 
then  testified  about  the  contents  of  those  CDs,  and  the  agent  had 
some  familiarity,  but  he  didn't  have  personal  knowledge  of  the 
automated  process,  and  he  testified  that  he  knew  it  was  automated 
and  that  he  took  the  data  and  analyzed  it  himself.  That  is  analogous 
to  what's  happened  here  where  Internet  Archive  has  adopted  and 
integrated  these  records  from  third-party  sources  which  are  created 
by  an  automated  and  presented  --  and  set  them  forth  as  being  accurate 
under  that  process.  Again,  ma'am  - 

MJ:  Well  Lubich  also  had  a  defense  concession  that  the  records 

were  what  the  government  said  they  were. 

ATC [CPT  von  ELTEN]:  That  is  true,  ma'am,  but  this  would  be  an 
example  of  weight,  not  admissibility,  that  these  are  not  accurate 
before  the  Court. 
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MJ:  Lubich  cites  Weinstein  to  talk  about,  in  general, 

electronic  documents  and  records  that  are  merely  stored  in  a  computer 
raise  no  computer  specific  authentication  issues.  If  the  computer 
processes  data  rather  than  merely  storing  it,  authentication  issues 
may  arise.  Do  you  consider  this  a  process  or  a  storage? 

ATC [CPT  von  ELTEN] :  Ma'am,  I  consider  this  a  storage  because  it 
was  automatically  collected  and  the  Internet  Archive  certifies  that 
it  stores  records  at  or  near  a  certain  time.  An  Internet  Archive 
doesn't  process  them,  it  doesn't  manipulate  them,  it  doesn't  change  - 
-  it  essentially  takes  a  picture,  puts  it  into  storage  and  makes  it 
accessible  for  a  user  to  search  for  it. 

MJ:  Well,  that's  where  again  I'm  confused.  Explain  to  me,  you 

said  Internet  Archive  takes  the  picture. 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  How  does  the  third-party  donation  system  work? 

ATC [CPT  von  ELTEN]:  The  third-party  donation  system  as  explained 
in  Novak  works  by  the  web  crawler  automatically  taking  the  picture, 
and  then  the  only  entity  —  or  the  owner  of  the  web  crawler  donates 
that  picture  to  Internet  Archive.  That  would  simply  be  a  gap  that 
would  go  to  weight,  not  admissibility. 

MJ:  Are  you  aware  of  any  case,  criminal  case,  federal  or  state, 

that  has  allowed  admissibility  of  a  website  under  Internet  under 
one  of  these  affidavits  as  self-authenticating? 
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ATC [CPT  von  ELTEN] :  Not  as  self-authenticating.  However,  in 
United  States  v  Bansal  cited  by  the  United  States  in  its  brief, 
Internet  Archive  results  were  used  in  a  criminal  proceeding,  and  in 
that  case  they  were  one  of  the  bases  for  admission  or  for 
authentication  was  they  were  compared  to  a  previously  authenticated 
document.  In  this  case  Prosecution  Exhibit  110  is  substantially 
similar  in  content  to  Prosecution  Exhibit  109  and  that  would  be 
offered  also  as  corroboration  of  the  authenticity  of  Prosecution 
Exhibit  109  for  Identification. 

MJ:  All  right.  Is  that  in  your  brief? 

ATC [CPT  von  ELTEN]:  That  detail,  ma'am? 

MJ:  No.  United  States  v.  —  what's  the  case? 

ATC [CPT  von  ELTEN]:  Bansal,  B-A-N-S-A-L. 

MJ:  The  cite  is? 

ATC [CPT  von  ELTEN]:  One  moment,  ma'am.  Also  in  that  case,  ma'am 

MJ:  Can  I  have  the  cite  for  it,  please? 

ADC [CPT  TOOMAN] :  We've  got  it.  Your  Honor.  We  can  give  it  to 

them. 

MJ:  I'd  like  to  find  it  in  the  brief.  I'm  not  seeing  it. 

ADC [CPT  TOOMAN]:  Ma'am,  it's  on  Page  4,  the  last  paragraph, 

in  the  string  cites. 
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MJ:  Got  it.  Got  it.  Got  it.  Thank  you.  So  it's  Bansal. 

Okay.  So  in  that  case  they  compared  it  with  another  similar  exhibit? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am.  In  that  case  the  evidence  was 
put  forth  talking  about  the  reliability  of  the  Internet  Archive  and 
then  it  was  compared  to  another  exhibit  for  authentication  purposes. 

MJ:  All  right.  Any  others? 

ATC [CPT  von  ELTEN]:  No,  ma'am. 

MJ:  What  about  Telewizjal 

ATC  [CPT  von  ELTEN]:  Telewizja  relied  on  an  affidavit,  ma'am. 

MJ:  So  that's  not  a  self-authenticating  case? 

ATC [CPT  von  ELTEN]:  No,  ma'am,  I'd  have  to  get  back  with  you  on 

that . 

MJ:  Okay.  I'm  sorry.  Proceed. 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  The  Internet  Archive  result  is 
relevant  because  it  explains  why  PFC  Manning  chose  to  compromise  the 
information  he  did.  PFC  Manning  conducted  searches  on  Intelink 
related  to  content  set  forth  in  Prosecution  Exhibit  109  for 
Identification.  PFC  Manning  admitted  to  compromising  information  to 
Mr.  Lamo  as  set  forth  there  in  Prosecution  Exhibit  109  for 
Identification.  Mark  Johnson  testified  PFC  Manning  discussed  mining 
the  open  source  center.  Mr.  Allen  also  testified  that  PFC  Manning 
conducted  research  on  the  open  source  center  related  to  Iceland  and 


8952 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


©  o 


WikiLeaks.  And  that  is  a  non-hearsay  purpose  of  explaining  why  PFC 
Manning  took  the  course  of  action  that  he  did. 

MJ:  All  right. 

ATC [CPT  von  ELTEN] :  And  PFC  Manning  also  discussed  compromising 
JTF  GTMO  information  with  the  Press  Association  account  that  Mr. 
Johnson  testified  has  been  associated  with  Mr.  Julian  Assange. 

MJ:  That  was  Mr.  Johnson? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  Finally,  Your  Honor,  the  United 
States  does  not  have  evidence  that  PFC  Manning  visited  these 
websites.  Excuse  me.  Your  Honor.  The  United  States  has  evidence 
that  PFC  Manning  visited  these  websites  based  on  the  facts  listed. 

PFC  Manning  also  wiped  his  computer  in  January  2010  eliminating 
additional  evidence  as  Agent  Mander  testified. 

MJ:  Yes? 

ADC [CPT  TOOMAN] :  We'll  object  to  that.  That's  pure 

speculation  on  the  part  of  the  government  that  the  wiping  of  the 
computer  eliminated  any  evidence. 

MJ:  Okay.  What  computer?  There  have  been  a  number  of 

computers  that  we  are  discussing. 

ATC [CPT  von  ELTEN]:  Personal  —  Mr.  Johnson  testified  that  PFC 
Manning  wiped  his  personal  Macintosh  computer. 

MJ:  Okay.  The  Court  will  disregard  any  reasons  why.  Go  ahead. 

But  it's  the  government's  theory  of  the  case  that  that's  why,  right? 
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ATC  [CPT  von  ELTEN] :  Yes,  ma'am.  And  additionally  Agent  Shaver 
testified  that  PFC  Manning  used  an  unauthorized  web  browser  which 
would  make  him  able  to  delete  his  history. 

MJ:  On  his  personal  computer? 

ATC [CPT  von  ELTEN]:  On  his  government  computer,  ma'am. 

MJ:  That  was  Mr.  Shaver? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  All  right. 

ATC [CPT  von  ELTEN]:  Thank  you,  ma'am. 

MJ:  Defense.  Can  you  go  in  the  same  order,  please? 

ADC [CPT  TOOMAN] :  Yes,  ma'am.  Your  Honor,  we'll  begin  by  noting 
the  government  in  their  brief  calls  this  a  lax  standard.  We  do  not 
believe  this  is  a  lax  standard.  The  government  bears  the  burden  of 
authenticating  this  information  before  it's  admissible. 

MJ:  Well,  Lubich  said  the  standard  is  not  high,  is  that  right? 

ADC [CPT  TOOMAN]:  It  may  have.  Your  Honor.  That's  not  a 

binding  case  on  this  Court  though. 

MJ:  It  isn't? 

ADC [CPT  TOOMAN]:  I  stand  corrected.  That  is  a  military  case. 

I  apologize.  Your  Honor,  we  think  the  more  appropriate  standard  is 
the  standard  set  forth  in  Novak. 

MJ:  So  the  Novak  standard  is  more  important  than  the  Lubich 

standard? 
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ADC [CPT  TOOMAN] :  We  think  that  it's  the  correct  standard. 

Your  Honor.  And  there  are  distinctions  with  the  Lubich  case  that 
I'll  be  happy  to  discuss.  There  we  were  talking  about  forensic 
images  of  computers. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  That's  not  what  we're  talking  about  here. 

We've  talked  about  forensic  images.  The  forensic  images  in  this  case 
have  been  admitted.  The  reports  based  on  those  forensic  images  have 
been  admitted.  That's  not  what  the  government's  attempting  to 
introduce  here. 

MJ:  Now,  Novak ,  does  that  address  Tweets? 

ADC [CPT  TOOMAN]:  It  does  not  address  Tweets,  Your  Honor. 

MJ:  So  is  that  case  relevant  more  to  your  109  argument  or  the 

31  and  32  as  well? 

ADC [CPT  TOOMAN]:  Well,  it's  relevant  to  31  and  32  as  well. 

Your  Honor,  because  those  exhibits  are  actually  Google  cache  images. 
So  those  exhibits  aren't  pulled  directly  from  Twitter. 

MJ:  I  thought  the  witness  said  that  he  had  pulled  it  and 

compared  the  current  version  with  the  Google  cache  version. 

ADC [CPT  TOOMAN]:  The  witness  said  that  he  —  one  way  that  you 

could  pull  a  Tweet  is  to  go  back  and  look  at  it  because  they're  all 
there.  He  also  said  he  didn't  do  that.  So  he  —  when  he  was 
explaining  how  you  could  acquire  this  Tweet,  he  said  there  are  two 
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ways,  you  could  do  a  search  using  Google  cache  or  just  Google  search 
it  directly,  the  content  of  it,  and  that  would  pull  it  up,  or  you  can 
go  to  Twitter.  And  he  said  what  he  did  was  the  first  way,  which  the 
first  way  being  you  just  search  for  it  directly  and  pull  it  up  on 
Google  cache.  And,  Your  Honor,  Mr.  Mander  said  the  same  thing  with 
respect  to  the  WikiLeaks  most  wanted  list,  109.  He  said  he  searched 
for  WikiLeaks  most  wanted  list  and  pulled  it  up  that  way.  He 
couldn't  get  to  it  when  he  actually  went  to  WikiLeaks  was  his 
testimony. 

MJ:  Okay.  Let's  stick  right  now  with  Prosecution  Exhibits  31 

and  32. 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  I  believe  I  heard  the  government  argue  that  the  witness 

said  that  he  did,  he  pulled  it  up  through  Google  today  and  compared 
what  he  got  through  Google  today  with  what  he  got  from  Google  cache 
and  that's  not  the  defense's  view? 

ADC [CPT  TOOMAN]:  Well,  looking  at  the  transcript,  he  at  one 

point  said  that  he  didn't  do  that.  Now,  he  may  have  also  said,  and  I 
may  have  missed  it  when  I  was  reviewing  it,  that  that's  entirely 
possible.  But  he  definitely  said  there  were  two  ways.  I  didn't  do 
the  go  back  and  go  through  all  the  Tweets  essentially  because  I 
didn't  want  to  go  through  thousands  of  Tweets. 

MJ:  Okay. 
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ADC [CPT  TOOMAN] :  So  our  opinion  is  that  Google  cache  is 

analogous  to  the  Internet  Archive.  It  has  some  way  that  it  grabs 
this  information  and  there's  no,  there's  been  no  discussion  of  that 
before  the  Court.  The  Court  has  no  information  on  how  Google  cache 
does  that.  And  so  from  our  perspective  the  authentication  piece 
hasn't  been  met  with  respect  to  Google  cache.  There  should  be  — 
there  should  be  some  authentication  from  someone  from  Google  who 
would  explain,  hey,  this  is  what  we  do. 

MJ:  What's  the  defense's  position  with  the  government?  The 

government  has  two  different  authentication  approaches  to  Prosecution 
Exhibit  31  and  32  versus  109.  Versus  109  they're  arguing  self¬ 
authenticating  with  the  affidavit.  Prosecution  Exhibits  31  and  32 
they're  arguing  fall  under  M.R.E.  902  by  distinctive  characteristics. 
What's  the  defense's  position  with  respect  to  that? 

ADC [CPT  TOOMAN]:  Our  position  is  that  it  would  not  be 
authenticated  based  on  distinctive  characteristics. 

MJ:  And  does  Novak  deal  with  distinctive  characteristics? 

ADC [CPT  TOOMAN]:  I  don't  believe  it  does,  Your  Honor. 

MJ:  Okay.  Why  would  it  not  be  admissible  under  distinctive 

characteristics? 

ADC [CPT  TOOMAN]:  Well,  the  distinction.  Your  Honor,  is  a 

number  of  the  factors  that  they  talk  about  with  respect  to  self¬ 
authenticating  based  on  characteristics,  that  Tweet  talks  about  .mil 
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addresses.  Specifically  it  says  we  want  as  many  .mil  addresses.  It 
doesn't  say  we  want  the  GAL.  We  don't  —  It  doesn't  say  we  want  the 
Iraq  database. 

MJ:  I  think  what  the  government  has  argued  is  the  Tweets  have 
come  from  the  WikiLeaks  URL  address.  What  else  did  they  argue  here? 

ADC [CPT  TOOMAN] :  Well,  the  Tweets  come  from  Google  cache, 

Your  Honor.  We  would  also  point  to  the  case  —  I'm  sorry.  Your 
Honor . 

MJ:  Go  ahead. 

ADC [CPT  TOOMAN]:  We  would  also  point  to  the  case  cited  in  our 

brief.  In  Re:  Home  Store ,  which  says  printouts  of  Internet  web  pages 
are  not  self-authenticating. 

MJ:  Well,  so  the  government  —  as  I  understood  the  government 

they're  relying  on  distinctive  characteristics  under  M.R.E.  902  which 
wouldn't  be  a  self-authenticating  or  an  M.R.E.  901.  Am  I  getting  my 
rules  mixed  up  here. 

ATC [CPT  von  ELTEN] :  Distinctive  characteristics,  ma'am,  is 

901(b) (4) . 

MJ:  901(b)(4).  Okay.  So  the  government's  not  arguing  that 
Prosecution  Exhibits  31  and  32  are  self-authenticating.  They  haven't 
produced  any  affidavits  stating  any  of  that.  Are  you  saying  that 
they  have  to  or  can  they  authenticate  a  different  way? 
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ADC [CPT  TOOMAN] :  Well,  I  would  say  —  Well,  certainly 

producing  an  affidavit  would  be  one  way.  We  would  say  that  they 
couldn't,  the  distinctive  characteristics  here,  just  because  it  looks 
like  it,  anyone  can  create  a  web  page,  not  anyone,  but  people 
certainly  can  create  a  web  page  that  certainly  looks  like  WikiLeaks 
or  looks  just  like  Twitter,  and  we  provided  in  our  —  in  our  motion 
to  the  Court  a  number  of  instances  where  Twitter  has  been  hacked.  So 
we  would  say  that  based  on  that,  the  integrity  of  Twitter  would 
suggest  that  don't  just  take  it  for  face  value,  which  is  what  the 
government's  asking  you  to  do.  Hey,  it  was  on  Twitter,  it  must  be 
true,  authenticated.  Well,  Twitter  can  be  hacked,  it's  easy  to 
duplicate,  so  we  would  suggest  that  901(b)(4)  wouldn't  be  appropriate 
for  authentication  with  respect  to  the  Tweets. 

MJ:  What's  your  position  with  the  cases  cited  by  the  government 
that  stand  for  the  proposition  that  the  possibility  of  alteration 
goes  to  weight,  not  admissibility? 

ADC [CPT  TOOMAN]:  Could  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  defense  counsel 
researched  information.] 

ADC [CPT  TOOMAN]:  Your  Honor,  I  guess  we  would  rely  on  sort  of 

the  general  rule  of  authentication  that  you  have  to  be  convinced  that 
it  is  what  they  purport  it  to  be. 
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MJ:  Okay.  Well,  would  you  agree  that  the  standard  would  be  not 

that  I  find  it's  what  the  government  purports  it  to  be,  but  a 
reasonable  fact-finder,  or  me  in  that  role  finds  it  be  what  the 
government  purports  it  to  be. 

ADC [CPT  TOOMAN]:  Yeah,  well,  yes.  I  guess  in  this  case,  you 

are  the  reasonable  fact-finder  here. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  If  you're  convinced,  then  - 

MJ:  I'm  not  there  yet.  Okay. 

ADC [CPT  TOOMAN]:  All  right.  Would  you  like  me  to  continue. 

Your  Honor? 

MJ:  Yes. 

ADC [CPT  TOOMAN]:  Okay.  I  think  we've  covered  authentication 

of  the  Tweets.  So  we  would  move  on  to  authentication  of  Prosecution 
Exhibit  109  for  Identification.  There  we  believe  the  Novak  case 
stands  for  the  proposition  that  the  government  needs  to  have  an 
affidavit  not  necessarily  from  the  Internet  Archive,  but  from  someone 
who  actually  has  knowledge  of  WikiLeaks.  And  all  of  this  sort  of 
ties  into  hearsay,  there's  a  lot  of  overlap,  but  with  respect  to 
something  from  the  Internet  Archive  and  particularly  the  most  wanted 
list,  this  is  quadruple  hearsay. 

MJ:  Well,  let's  talk  about  authentication  before  we  get  to 

hearsay. 
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ADC [CPT  TOOMAN] :  Okay.  We  would  suggest  that  Novak  stands 

for  the  proposition  that  someone  from  WikiLeaks  needs  to  testify 
about  what  was  on  their  page  at  a  certain  time.  When  you  look  at  the 
affidavit  from  Mr.  Butler,  he  doesn't  make  any  assertion  that  he  has 
personal  knowledge  of  what  was  taken.  He  says  all  I  know  is  what  the 
third-party  gave  to  us.  And  Your  Honor  asked  a  question  of  the 
government  about  process  versus  storage.  This  is  definitely  a 
process.  There  is  a  process  that  takes  place  to  get  this  data  by  the 
third-party. 

MJ:  Describe  that  process  to  me.  What  is  this  crawling? 

ADC [CPT  TOOMAN]:  We  don't  know.  Only  the  third-party  knows. 

I  imagine  that  it  sounds  from  the  frequently  asked  questions  and  Mr. 
Butler's  affidavits  and  the  Novak  case  that  third  parties  are  getting 
these  websites  somehow. 

MJ:  So  are  crawlers  going  from  Internet.org  to  these  third 

parties  or  do  these  third  parties  have  crawlers  and  they're  crawling 
and  then  they're  getting  things  to  Internet.org? 

ADC [CPT  TOOMAN]:  That's  our  understanding.  So  I  might  be 

interested  in  contributing  to  the  InternetArchive.org  mission.  I 
think  they  are  doing  a  great  thing  and  so  I  set  up  whatever  process 
I'm  going  to  run  to  gather  data  and  then  I  contribute  it  to  Internet 
Archive.  So  there's  no  authentication  of  the  process  this  third- 
party  is  running.  A  third-party  could  do  anything  with  that 
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information.  They  can  gather  that  information,  they  can  tweak  it  if 
they  wanted  to  and  then  send  it  to  the  Internet  Archive.  The 
Internet  Archive  has  no  idea  how  that  data  was  gathered  or  if  it  was 
manipulated  at  all.  All  they  can  say  is  Joe  gave  me  a  batch  of  data 
and  we  added  it  to  our  archive  and  this  is  what  our  archive  says.  We 
haven't  changed  what  Joe  or  Bob  or  Phil  or  whoever  gave  to  us,  but 
who  knows  what  that  individual  did  with  it.  And  who  knows  the 
process.  And  we  would  --  we  would  say  that  there  is  a  process,  that 
individual  is  running  a  process  in  order  to  get  the  information. 

MJ:  How  would  you  address  the  government's  contention  that  the 

reliability  is  enhanced  because  you  can  compare  Prosecution  Exhibit 
109  for  Identification  with  Prosecution  Exhibit  110  which  was  if  you 
go  on  the  Internet  today  and  that  comes  up? 

ADC [CPT  TOOMAN] :  Sure,  I  guess  if  you  can  compare  them,  you 

can  compare  them.  I  don't  know  that  we  would  could  really  respond 
to  that.  I  mean  if  they  look  the  same  I  guess  - 

MJ:  Do  you  think  it  enhances  the  reliability,  has  any  impact  on 

reliability? 

ADC [CPT  TOOMAN]:  I  don't  think  it  would  —  Well,  it  may 

enhance  the  reliability,  but  I  don't  think  it  enhances  the 
authentication.  I  still  think  there's  an  authentication  issue. 
Because,  again,  we're  talking  about  things  that  were  pulled  today, 
not  things  that  were  pulled  back  in  November  of  2009,  as  they  purport 
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them  to  be.  The  thing  that  is  being  compared  is  a  present  day 
version.  We've  gone  and  we  have  this  present  day  version  and  we're 
comparing  it  to  what  Internet  Archives  says  or  whatever  the  process 
is,  but  in  this  situation  we're  dealing  with  present  day  versions. 

No  one  is  looking  at  WikiLeaks  in  2009  and  telling  this  Court  what  it 
saw  in  2009. 

MJ:  Well,  if  you  pull  something  up  today  and  it  says  draft  most 

wanted  leaks  of  2009  sort,  and  then  you  compare  it  to  something  that 
is  coming  out  of  this  archive.org  that  is  also  entitled  draft  most 
wanted  leaks  of  2009  sort,  wouldn't  that  enhance  the  probability  that 
it  is  what  it  purports  to  be? 

ADC [CPT  TOOMAN] :  It  would.  Your  Honor. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  Your  Honor,  while  we're  addressing 

authentication,  the  government  spoke  about  the  process  through  which 
they  acquired  their  affidavit  and,  if  I  could,  I'd  like  to  publish 
one  of  the  attachments  we  provided  to  the  Court  yesterday. 

MJ:  Certainly. 

ADC [CPT  TOOMAN]:  Your  Honor,  this  is  one  of  the  attestation 

certificates  that  the  government  provided  to  the  Court.  I  believe 
it's  from  Appellate  Exhibit  160.  It's  pre-admitted  evidence.  And 
this  wasn't  an  attachment  to  our  motion,  but  I  think  the  Court  got  a 
copy  yesterday. 


8963 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


Q 


MJ:  Yes. 

TC [MAJ  FEIN]:  Your  Honor,  may  I  have  a  moment? 

MJ:  Yes. 

TC [MAJ  FEIN]:  Thank  you,  ma'am. 

[There  was  a  brief  pause  while  the  trial  counsel  consulted  with  the 
assistant  defense  counsel.] 

MJ:  This  is  part  of  the  government's  brief,  is  that  correct? 

Is  this  Prosecution  Exhibit  160  or  is  this  part  of  the  government's 
brief? 

ADC [CPT  TOOMAN] :  No,  ma'am.  It's  Appellate  Exhibit  160.  So 

this  is  one  of  the  attestation  certificates  the  government  provided 
during  a  39(a)  we  had  last  summer  when  they  were  pre-admitting 
documents  and  I  believe  this  one  had  to  do  with  IA  training  that  PFC 
Manning  took. 

MJ:  Okay.  Part  of  the  defense  brief.  I  knew  I  saw  it.  Got 

it. 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  So  we  would  point  to  the 

attestation  certificate  which  would  be  part  of  the  government  brief 
from  Mr.  Butler  where  the  government  set  forth  that  this  was  what 
they  did  for  expediency  was  they  sent  Mr.  Butler  their  form.  Well, 
expediency  would  be  for  Mr.  Butler  to  use  the  form  that  he's  used  to 
And  defense  would  also  suggest  this  isn't  the  normal  form  that  the 
government  uses.  And  we  would  just  ask  the  Court  to  compare  what  Mr 
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Butler  signs  and  what  has  previously  been  used  which  we  would  say  is 
what  the  government  normally  uses.  What  the  government  normally 
uses,  we  have  five  paragraphs,  and  what  Mr.  Butler  signed  only  has 
four.  Some  of  the  language  has  been  changed.  For  example,  in 
Paragraph  1  of  Mr.  Butler's  attestation  there  is  no  indication  that 
he's  a  custodian  of  these  records  as  there  is  in  this.  There  is  no 
attestation  that  he  has  personal  knowledge  in  his  certificate  as 
would  be  required  to  authenticate.  He  doesn't  say  that  it  was  made 
in  the  regular  practice  of  his  duties.  And  he  doesn't  say  it's  a 
complete  record  as  is  said  here.  We'll  direct  the  Court  to  Number  5, 
it  says  the  records  are  a  true,  accurate  and  complete  copy.  That's 
not  what  Mr.  Butler  says.  Mr.  Butler  says  the  records  are  true  and 
accurate  copies  of  the  original  documents  in  the  Internet  Archive 
Wayback  machine  servers.  Are  they  complete?  We  don't  know.  And 
we'll  get  into  the  completeness  a  little  bit  down  the  road  when  we 
talk  about,  when  I  talk  about  hearsay.  And  I  guess  just  to  address 
Your  Honor's  earlier  question  about  comparing  the  documents,  we  would 
say  that  the  issue  isn't  whether  or  not  you  can  compare,  the  issue  is 
what  does  it  look  like  in  2009.  And  nothing  that  the  Court  has 
before  it  tells  us  what  any  website  looked  like  in  2009  or  2010. 

Move  on  to  hearsay.  Your  Honor? 

MJ:  Okay. 
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ADC [CPT  TOOMAN] :  With  respect  to  the  Tweets,  there's  an  issue 
of,  we  would  say,  double  hearsay.  You  have  a  Tweet  from  WikiLeaks, 
and  then  you  have  Google  cache  saying  what  WikiLeaks  said  in  their 
Tweet.  So  there's  two  levels  of  hearsay.  And  before  we  even  get 

MJ:  Well,  let  me  ask  about  that.  On  the  Google  cache  they're 
pulling  up  just  something  on  a  website.  What's  the  authority  that 
you're  relying  on  to  say  that  that's  hearsay,  as  opposed  to  just 
whatever  is  appearing  on  the  website? 

ADC [CPT  TOOMAN]:  Sure.  We  would  say  that  when  Google  cache 

takes  it  and  puts  it  up,  they  are  saying  what  WikiLeaks  said  and  here 
it  is.  This  is  what  they  said  at  this  time  purportedly,  so  now 
they're  making  a  statement  as  to  what  WikiLeaks  said.  But  really 
before  we  even  get  there.  Your  Honor,  we  would  say  that  these  aren't 
even  statements.  These  are  made  by  a  corporation  or  an  organization. 
And  so  a  declarant  has  to  be  a  person.  So  this  goes  to 

MJ:  Then  how  is  it  hearsay? 

ADC [CPT  TOOMAN]:  Well,  this  goes  to  state  of  mind,  the  state 

of  mind,  plan  and  motive.  It  doesn't  fall  within  the  exception 
because  - 

MJ:  Well,  it  has  to  be  hearsay  first  to  get  to  the  exception 

piece . 

ADC [CPT  TOOMAN]:  Right. 
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MJ:  The  government's  purported  that  they're  using  it  for  a  non¬ 

hearsay  purpose.  What's  your  position  on  that? 

ADC [CPT  TOOMAN] :  Well,  I'll  address  the  non-hearsay  purposes 

in  order.  First  we  have  the  state  of  mind,  plan  or  motive  of 
WikiLeaks  was  I  think  the  first  hearsay  exception  the  government 
addressed.  The  plan  or  state  of  mind  of  WikiLeaks  has  nothing  to  do 
with  PFC  Manning.  Nothing  to  do  with  him.  They  can  plan  and  do 
whatever  they  want.  That  doesn't  affect  PFC  Manning. 

MJ:  If  the  government  is  offering  this  most  wanted  list,  is  it, 

and  maybe,  as  I  understand  what  they're  saying  is,  well,  here  you're 
on  the  Tweets.  Never  mind.  We're  not  talking  about  that  yet.  But 
the  Tweets  are,  as  I  understood  what  the  government  was  saying,  was 
that  they  were  offering  it  for  the  fact  that  this  is  what  WikiLeaks 
put  out  there.  Whether  they  were  actually  planning  on  doing  it  or 
not  is  irrelevant.  A  reader  could  come  and  say,  okay,  this  is  what 
they're  putting  out  there  that  they  plan  to  do,  so  that's  the 
relevance  not  whether  they  actually  plan  to  do  it  or  not. 

ADC [CPT  TOOMAN]:  We  understood  I  guess  two  hearsay  exceptions 

the  government  was  relying  on.  One  was  the  plan,  state  of  mind, 
intent  of  WikiLeaks,  and  one  was  the  effect  on  the  listener. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  And  - 

MJ:  So,  start  off  with  the  plan  of  WikiLeaks  then. 
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ADC [CPT  TOOMAN] :  Okay.  And  I  guess  another,  all  of  these  are 

so  intertwined  I'm  going  to  go  back  for  a  minute  to  authentication 
and  it's  an  idea  that  is  going  to  be  relevant  throughout  this 
discussion,  but  the  Hopcheque  or  Hopchecue  case  the  government  cited 
in  their  brief  —  I'll  give  you  a  pinpoint  cite  of  page  1121  with 
respect  to  authentication,  that  case  says  there  has  to  be  a 
connection  between  the  accused  or  the  defendant  and  the  thing  which 
you're  trying  to  authenticate.  And  so,  and  we'll  get  into  the 
connection  with  PFC  Manning  and  these  things  when  we  talk  about 
hearsay  as  well,  but  we'd  ask  you  to  just  consider  that  with  respect 
to  authentication  as  well.  So  first  the  plan,  state  of  mind,  the 
plan,  motive,  state  of  mind  of  WikiLeaks. 

MJ:  So  as  I  understand  the  defense,  you're  understanding  of 

what  the  government  is  doing  is  they're  offering  it  for  hearsay  and 
now  it's  a  hearsay  exception  for  state  of  mind? 

ADC [CPT  TOOMAN]:  Yes. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  That's  our  understanding.  The  state  of  mind 

of  WikiLeaks  has  nothing  to  do  with  PFC  Manning.  PFC  Manning  is  not 

charged  with  conspiracy.  So  what  WikiLeaks  intends  to  do,  it  doesn  t 

matter.  It  has  no  impact  on  PFC  Manning.  And  sort  of  the 

overarching  theme  of  all  of  this  is,  you  know,  did  he  actually  see 
any  of  this?  Did  he  ever  actually  see  it?  So  whether  we're  talking 
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about  effect  on  the  listener  or  authentication,  there  has  to  be  a 
connection  between  PFC  Manning  and  these  documents,  and  there's  not  a 

connection  between  PFC  Manning  and  these  documents. 

MJ:  Well,  isn't  that  a  question  of  fact?  Right  now  we're 

talking  about  admissibility  of  things.  As  I  understand  the 
government's  theory,  is  this  provides  circumstantial  evidence,  it  was 
there  in  2009,  those  were  the  times  that  PFC  Manning  was  doing  the 
searches  so  that's  circumstantial  evidence  that  he  might  have  seen 
it. 

ADC [CPT  TOOMAN] :  Sure.  But  I  —  the  defense's  position  is  if 

you're  going  to  talk  about  the  effect  on  the  listener,  there's  got  to 

be  a  listener,  someone  has  to  have  heard  it,  and  the  person  that  has 
to  have  heard  it  is  PFC  Manning. 

MJ:  I  understand.  And  the  defense's  position  is  he  didn't  hear 

it.  I  got  that.  Isn't  that  going  to  ultimately  be  a  question  of 
fact  at  the  end  of  the  day? 

ADC [CPT  TOOMAN]:  Well,  it  is,  but  the  defense  believes  that 

you  have  to  resolve  that  piece  when  determining  the  admissibility 
because  in  order  to  rule  on  the  hearsay  exception  of  effect  on  the 
listener.  Your  Honor  would  have  to  determine  that  there  was  a 
listener  and  that  there  was  enough  evidence  that  he  actually  heard 
it.  Otherwise  it  shouldn't  be  admitted  as  not  a  hearsay  exception, 
but  as  non-hearsay. 
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MJ:  So  it's  the  defense's  position  that  it  shouldn't  be 

admitted  for  the  impact  on  the  listener  as  a  stepping  stone  that  this 
is  the  government  theory  of  the  case,  opportunity  to  look,  could  have 
seen  the  statement,  therefore  the  impact  was  that's  why  he  acted  like 
he  acted,  that  that  foundation,  because  it's  a  foundational  piece  and 
doesn't  absolutely  establish  the  connection  that  it  shouldn't  be 
admitted. 

ADC [CPT  TOOMAN] :  Right.  The  defense  position  is  if  you're 

going  to  admit  something  for  the  non-hearsay  purpose  of  effect  on  the 
listener,  you  need  to  prove  that  he  heard  it.  You  have  to  convince 
the  reasonable  fact-finder,  Your  Honor,  that  PFC  Manning  heard  it. 

And  there ' s  - 

MJ:  Well,  again,  that's  the  fact  finding  piece  later  on.  Right 

now  I'm  just  doing  as  a  question  of  law  the  admissibility  of  the 
document  at  issue. 

ADC [CPT  TOOMAN]:  Right. 

MJ:  So  you're  saying  I  need  to  make  that  finding  in  this  step, 

this  level  now,  too? 

ADC [CPT  TOOMAN]:  Right.  Our  position  would  be  Your  Honor 

needs  to  determine  whether  or  not  PFC  Manning  heard  it.  And  then  if 
you  determine  that  it's  reasonable  that  he  heard  it,  then  it  would  be 
—  then  you  could  admit  it  and  then  make  a  determination  based  on  the 
facts  what  weight  to  give  it.  And  so  the  government's  pointed  to 


8970 


Q 


O 


1  circumstantial  evidence  that  PFC  Manning  may  have  seen  them,  and  our 

2  position  is  the  circumstantial  evidence  that  he  didn't  see  it  far 

3  outweighs  any  circumstantial  evidence  that  he  did.  And  I'll  address 

4  those  Tweets  in  turn. 

5  MJ:  Okay. 

6  ADC [CPT  TOOMAN] :  And  the  list.  So  Prosecution  Exhibit  31  is 

7  the  email  list.  The  email  list,  well  first  of  all,  there's  mountains 

8  of  forensic  evidence  in  this  case,  particularly,  you  know,  the 

9  government  likes  to  point  to  the  fact  that  PFC  Manning's  machine  was 

10  wiped  in  late  January.  With  respect  to  the  May  Tweet,  that  evidence 

11  would  be  there.  And  with  respect  to  the  .22  machine,  his  primary 

12  SIPR  machine,  it  would  be  there  as  well.  And  so  the  forensic 

13  experts,  Mr.  Shaver  and  Mr.  Johnson,  who  have  testified  about  the 

14  primary  SIPR  and  the  personal  Mac,  they  looked  for  anything  related 

15  to  WikiLeaks.  Anything.  And  they  didn't  find  Tweets  on  PFC 

16  Manning's  computer.  They  found  all  sorts  of  other  things  to  do  with 

17  WikiLeaks.  They  found  things  to  do  with  WikiLeaks  in  April.  So  it's 

18  not  an  issue  of  him  having  cleared  his  Internet  history.  So  if  he 

19  had  seen  the  Tweet  in  May,  there  would  be  evidence  of  it  on  one  of 

20  his  computers,  and  there's  not.  And  our  opinion  is  that  outweighs 

21  the  fact  that  they  had  had  a  Tweet  about  email  addresses  and  then  he 

22  downloaded  email  addresses.  We  think  that  the  fact,  and  I  guess  also 

23  relevant  to  this  discussion  is  the  supply  room  computer  where  we  had 
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the  stipulation  of  Mr.  Williamson  and  Mr.  Williamson  didn't  find  any 
references  to  Twitter  on  the  --  on  Twitter  on  the  supply  room 
computer  where  there  would  have  been.  There  was  all  sorts  of  other 
things  tying  that  computer  to  PFC  Manning,  his  Gmail  account, 
purchases  on  Amazon,  other  activity  that  was  clearly  done  by  PFC 
Manning,  but  there  was  no  —  there  was  no  Twitter  or  WikiLeaks  on  the 
supply  room  computer.  And  so  those  are  the  computers  which  PFC 
Manning  would  have  used  to  access  Twitter  and  there's  nothing  on 
there.  And  so  our  position  is  that  that  outweighs  the  circumstantial 
evidence  provided  by  the  government  and  PFC  Manning  didn't  see  that 
Tweet . 

With  respect  to  the  next  Tweet,  the  video  Tweet,  again,  no 
Internet  history,  no  evidence  of  him  having  viewed  it  in  January  and 
the  government  points  to  references  in  chats  later  in  the  spring.  At 
no  point  does  PFC  Manning  say  he  gave  WikiLeaks  the  encrypted  video. 
He  never  says  that.  He  says  they  have  it.  He  had  a  number  of  chats 
with  Press  Association,  he  could  have  learned  it  there.  In  his 
providence  inquiry  he  told  the  Court  - 

MJ:  That  I'm  not  interested  in. 

ADC [CPT  TOOMAN] :  Okay.  There  are  a  lot  of  ways  that  PFC 

Manning  could  have  learned  about  that  video.  The  government  hasn't 
established  that  he  learned  it  from  the  Tweet.  There's  no  forensic 
evidence  pointing  to  the  Tweet.  They  haven't  found  a  Twitter  account 
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of  PFC  Manning  that  shows  him  following  WikiLeaks.  And  all  of  the 
evidence  we've  heard  about  the  Farah  video  has  pointed  to  a  couple 
things.  First,  the  Brady  material  of  this  Jason  Katz  character  who 
has  it  in  December  of  2009  and  has  no  connection  whatsoever  to  PFC 
Manning.  That's  where  we've  heard  about  the  Farah  video.  Someone  has 
the  same  version,  hash  value,  same  version  as  CENTCOM. 

MJ:  I  understand  all  of  this  for  your  closing  argument.  Where 

I'm  having  trouble  following  this  is  we're  talking  with  admissibility 
of  the  Tweet. 

ADCtCPT  TOOMAN] :  Sure.  Again,  Your  Honor,  the  relevancy  of 

this  is  conditioned  upon  a  fact  and  the  admissibility  of  this 
evidence  is  based  on  whether  or  not  he  heard  it.  So  our  position  is 
this  is  something  that  you  need  to  determine  right  now. 

MJ:  Is  it  relevant  that  if  it's  there  at  the  time  that  he  had 

an  opportunity  to  hear  it? 

ADC [CPT  TOOMAN]:  I'm  sorry. 

MJ:  Wouldn't  it  be  relevant,  because  the  Tweet  is  there  at  the 
time  that  PFC  Manning  is  involved  in  WikiLeaks,  that  he  had  an 
opportunity  to  see  it? 

ADC [CPT  TOOMAN]:  No,  we  don't  think  so.  We  think  that  you 

would  have  to  show  that  he  actually  saw  it.  For  something  to  affect 
PFC  Manning,  he  has  to  actually  have  seen  it.  He  has  to.  Otherwise 
it  can't  affect  him. 
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MJ:  I  agree  with  you  on  that. 

ADC [CPT  TOOMAN] :  So  that's  what  we  think  the  Court  has  to 

determine  now  is  did  he  hear  it,  did  he  see  it,  does  the  evidence 
that  we've  heard  and  we've  heard  - 

MJ:  But  I  guess  —  All  right.  So  you're  saying  that  the 

admissibility  for  —  so  you're  saying  that  the  opportunity  to  see  it, 
it's  the  defense's  position  is  that  that's  not  enough. 

ADC [CPT  TOOMAN]:  No.  Correct,  Your  Honor.  That's  correct. 

MJ:  Now,  the  cases  that  you  cite  for  that,  I  don't  remember 

offhand  the  exact  name  of  the  case,  but  the  one  I'm  thinking  of  is 
where,  the  murder  case  where  the  defendant  was  trying  to  say  that  a 
third-party  was  going  to  —  killed  the  victim  based  on  and  wanted 
to  introduce  statements  from  two  witnesses  that  said  that  the  third- 
party  made  statements.  Refresh  my  recollection  on  that.  The  third- 
party  made  statements  that  they  - 

ADC [CPT  TOOMAN]:  Well,  Your  Honor,  the  federal  case,  Brandon 

v  Villas  of  Maywood,  there  was  a  1980  —  a  1983  claim,  and  you  had  an 
alleged  drug  dealer,  and  then  there  were  two  women  who  said,  hey,  are 
you  working  today. 

MJ:  That's  the  one  I'm  thinking  of. 

ADC [CPT  TOOMAN]:  Or  allegedly  said,  hey,  are  you  working 

today.  And  so  what  the  Court  needed  to  determine  was  whether  or  not 
the  officers  actually  heard  that  to  determine  whether  or  not  they  had 
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probable  cause  that  he  was  engaged  in  drug  activity.  So  there  the 
Court  had  to  figure  out,  did  these  police  officers  actually  hear  what 
those  women  said?  If  they  didn't  hear  it,  then  there  could  have  been 
no  effect  on  them. 

MJ:  I'm  mixing  up  two  cases.  I've  got  that  case  and  then  New 

Mexico  v.  Rosales  where  you  have  the  Court  excluded  witness  testimony 
that  that  victim  said  that  a  third-party  owed  him  a  debt.  There  was 
no  evidence  that  the  third-party  knew  about  the  debt.  So  do  either 
of  these  cases  address  opportunity?  I  mean  in  both  of  these  cases  I 
think  it  was  pretty  clear  that  the  person  didn't  hear  it. 

ADC [CPT  TOOMAN] :  Right.  I  don't  believe  they  do  address 

opportunity.  Your  Honor.  I  believe  they  address  whether  or  not  the 
person  actually  heard  it. 

MJ:  Are  you  aware  of  any  case  that  does  address  that? 

ADC [CPT  TOOMAN]:  We're  not.  Your  Honor.  And  this  seems  to  us 

a  fairly  obvious  proposition  that  for  there  to  be  a  listener,  you've 
got  to  have  heard  it,  so  we're  not  aware  of  any  case. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  With  respect  to  —  so  I  guess  all  we  just 

talked  about  would  apply  to  the  WikiLeaks  most  wanted  list  as  well. 
And  there.  Your  Honor,  we  believe  there's  quadruple  hearsay.  You 
have  the  defense  exhibit  of  the  other  version  of  the  WikiLeaks  most 
wanted  list  that  has  the  introductory  - 
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MJ:  Was  that  introduced? 

ADC [CPT  TOOMAN] :  It  was,  yes.  Your  Honor. 

MJ:  That  was  Defense  Exhibit? 

ADC [CPT  TOOMAN]:  I  think  it  was  J  or  F.  Maybe  F. 

CDC [MR .  COOMBS]:  It's  F,  Your  Honor. 

MJ:  Okay.  May  I  see  that  from  the  court  reporter  as  well? 

All  right.  I  have  it. 

ADC [CPT  TOOMAN]:  So  what  this  list  makes  clear  is  that 

WikiLeaks  wants  journalists,  activists,  historians,  lawyers,  police 
and  human  rights  investigators  to  send  them  things  that  they  are 
interested  in.  If  there's  a  piece  of  information  that  you  know  is 
out  there  that  exists  and  it  would  help  you  do  whatever  it  is  that 
you  do,  send  it  to  us  and  we'll  add  it  to  the  list.  So  this  list  is 
populated  by  statements  from  those  people.  And  then  the  list  itself 
is  a  statement.  And  then  the  third-party,  whoever  provided  that  web 
page  to  Internet  Archive  is  making  the  statement  that  this  is  what  I 
saw  and  this  is  what  I'm  telling  Internet  Archive.  And  the  Internet 
Archive  is  making  the  statement  that  this  is  what  WikiLeaks  had  on 
their  site  on  whatever  day. 

MJ:  Let's  go  statement  by  statement.  If  you're  talking  about 

the  actual  statement  itself,  the  most  wanted  list,  what  these 
countries  actually  wanted,  I  believe  the  government's  position  is 
it's  not  being  offered  for  the  truth  that  countries  really  wanted 
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that  stuff,  it's  being  offered  for  what's  being  put  on  the  Internet 
for  other  people  to  see. 

ADC [CPT  TOOMAN] :  Okay. 

MJ:  And  then  the  impact  it  would  have  on  PFC  Manning  as  we 

talked  about  earlier  if  he  saw  it. 

ADC [CPT  TOOMAN] :  Right. 

MJ:  So  what's  the  defense's  position  with  that  non-hearsay 

purpose? 

ADC [CPT  TOOMAN]:  That's  probably  a  reasonable  way  to  look  at 

that,  we  would  say,  for  that  first  level  of  hearsay. 

MJ:  So  let's  go  to  level  two. 

ADC [CPT  TOOMAN]:  Level  two.  Here's  where  we  think  that 

somebody  from  WikiLeaks  that  comes  in  and  actually  authenticates 
this.  WikiLeaks  are  the  people  who  have  the  knowledge,  the  personal 
knowledge  of  their  list.  So  they're  the  ones  in  our  view  who  need  to 
authenticate  it.  They're  the  only  ones  who  can.  Because  there's  no 
one  who  —  well,  certainly  someone  probably  saw  this  list  in  November 
of  2009,  but  they've  not  testified  before  this  Court.  And  so  absent 
someone  who  actually  saw  this  site  in  2009,  it  would  have  to  be 
WikiLeaks  to  come  in  here  and  say  this  is  what  our  site  looked  like 
in  2009. 
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MJ:  Now,  you've  cited  Novak  basically  in  support  of  that 
proposition.  Are  you  aware  of  any  other  cases  other  than  Novak  that 
have  gone  the  same  way  that  you're  discussing? 

ADC [CPT  TOOMAN] :  There  are  a  series  of  cases  that  cite  Novak, 

I  don't  know  that  any  of  them  are  exactly  on  point.  But  the  decision 
in  Novak  was  reviewed  on  appeal  and  it  was  upheld,  at  least  with 
respect  to  the  evidentiary  rulings. 

MJ:  Now,  are  you  aware  of  any  cases  that  have  gone  the  other 

way,  criminal  cases? 

ADC [CPT  TOOMAN]:  No,  ma'am,  and  that's  —  I  guess  - 

MJ:  How  would  you  distinguish  the  one  the  government  is  talking 

about? 

ADC [CPT  TOOMAN]:  To  distinguish  —  The  way  we  would 

distinguish  the  way  the  one  the  government  is  talking  about  is, 
again,  we’re  not  talking  about  forensic  images  here. 

MJ:  That's  the  blame  —  what's  the  name  of  - 

ADC [CPT  TOOMAN]:  Lubich,  I  believe.  Your  Honor.  We  think  the 

evidence  here  is  fundamentally  different  than  the  evidence  that 
Lubich  considered. 

MJ:  Not  Lubich.  The  Bansal  case.  I  think  you  gave  me  the  cite 

for  it.  The  government  has  purported,  and  again,  I  just  got  this 
stack  of  information,  I  haven't  read  everything  yet,  but  Basnal,  it 
says  they  compared  it  with  a  similar  exhibit. 
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ADC [CPT  TOOMAN] :  Right.  They  compared  it  —  In  Basnal  they 

compared  it  to  something  that  had  already  been  authenticated.  So 
here,  that's  not  what  we  have  here.  We  don't  have  anything  that's 
been  authenticated.  So  if  they're  able  to  authenticate  the  list  and 
then  pull  the  list  off  of  archive.org,  I  guess  that  would  work,  but  I 
don't  know  why  they  would  need  to  do  that  if  they  already  had  an 
authenticated  list. 

MJ:  And  what's  the  third  level  of  hearsay? 

ADC [CPT  TOOMAN]:  The  third  level  of  hearsay  is  the  individual 
who  collected  it  off  of  WikiLeaks  and  then  donated  it  to  archive.org. 
And  we  believe  that  that  person  would  be  required  to  testify  because 
they  would  have  to  authenticate  it  with  respect  to  did  they  alter  it 
in  any  way,  the  same  way  they  would  have  to  --  anyone  else  would  have 
to  attest  this  is  the  process  I  go  through,  I  normally  do  this,  this 
is - 

MJ:  How  would  you  distinguish  that  from  business  records  cases 

that  rely  on  M.R.E.  806(6)  and  902(11)  where  an  entity  has 
incorporated  something  from  another  entity  in  the  course  of  its 
business?  As  I  understand  the  case  law,  that's  been  accepted  so  long 
as  the  entity  giving  the  affidavit  says  this  is  how  I  do  business  and 
I  routinely  use  records  from  entity  B? 

ADC [CPT  TOOMAN]:  Right.  Well,  we  would  say  that  here  they 

haven't,  they  haven't  authenticated,  they  being  Internet  Archive,  Mr. 
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Butler,  hasn't  authenticated  anything  that  that  third-party  did. 

They  don't  —  Mr.  Butler,  in  all  likelihood,  doesn't  know  who  that 
third-party  even  is.  My  guess  is  the  cases  would  flush  out  that  it 
would  be  someone  you're  doing  business  with  and  you  have  some  sort  of 
relationship  with,  and  the  person  who  is  attesting  would  have  that 
relationship.  Here  Mr.  Butler  doesn't  say  he  knows  these  people,  he 
just  knows  we  get  this  information  from  them.  We  don't  know  how  it's 
acquired. 

MJ:  Well,  let's  compare  it.  you're  getting  bank  records,  for 

example,  and  records  of  someone's  checks.  Someone  else  would  be 
giving  the  checks  to  the  bank  and  the  bank  is  collecting  the  checks. 
What's  the  difference? 

ADC [CPT  TOOMAN] :  Well,  there  I  think  the  check,  that  would  be 

something  that  speaks  for  itself  on  its  face.  You  can  see  the  check 
and  you  can  see  if  the  check  had  been  altered.  You  would  just  by 
looking  at  it  be  able  to  tell,  okay,  hey,  this,  nothing  looks  fishy 
here.  With  these  Internet  Archive  —  with  these  websites,  who  knows? 
You  don't  know.  You  can't  look  at  a  website  and  tell  if  it's  been 
altered  in  any  way  facially  just  by  looking  at  it.  And  so,  I  guess 
finally.  Your  Honor,  I  think  we've  - 

MJ:  Level  one,  two  and  three.  You  said  quadruple  hearsay. 

What's  level  four? 
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ADC [CPT  TOOMAN] :  That's  Internet  Archive's  attestation.  And 

again,  we  don't  think  that  that's  adequate  in  this  case  because  the 
attestation  makes  clear  - 

MJ:  Level  three  and  four  are  the  same? 

ADC [CPT  TOOMAN]:  No.  Three  is  that  third-party. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  And  then  four  is  Internet  Archive. 

MJ:  So  are  you  really  saying  that  that's  a  hearsay  objection  or 

really  that  the  authentication  just  is  not  good  enough? 

ADC [CPT  TOOMAN]:  Well,  I  would  say  —  Well,  it's  both. 

MJ:  How  is  it  hearsay?  Why  would  it  be  hearsay  when  every 

other  authentication  is  an  authentication? 

ADC [CPT  TOOMAN]:  Internet  Archive  holding  it  out  and  saying  this 
is  what  this  site  said  at  this  time,  that's  a  statement  in  our  view. 

MJ:  Okay.  Got  it. 

ADC [CPT  TOOMAN]:  Finally,  Your  Honor,  we  also  have  a 

relevance  objection  to  all  three  of  these  things.  Really  these 
documents,  they  go  towards  the  government's  theory  of  their  case,  but 
that's  all  they  go  to.  They  go  towards  the  theory.  They  don't  make  a 
fact  in  consequence  any  more  likely  than  not. 

MJ:  Opportunity  doesn't  make  a  fact  in  consequence  more  likely? 

ADC [CPT  TOOMAN]:  I'm  sorry.  Your  Honor. 
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MJ:  Opportunity  wouldn't  make  the  fact  in  consequence  more 

likely? 

ADC [CPT  TOOMAN] :  Whether  or  not  PFC  Manning  saw  any  of  these 

things  doesn't  make  it  any  more  likely  than  not  that  he  had  actual 
knowledge  that  the  enemy  used  WikiLeaks,  doesn't  make  it  any  more 
likely  that  he  could  have  known  that  release  of  this  information 
could  cause  damage,  it  doesn't  make  it  any  more  likely  that  this  is 
worth  some  amount  or  another  amount.  And  so  our  position  is  that  it 
doesn't  make  any  fact  in  consequence  more  or  less  likely.  And  what's 
interesting  about  that  is  the  version  of  the  website  that  the 
government  provided,  and  we  think  just  looking  at  the  version  and 
comparing  it  to  the  defense's  version  makes  clear  that  all  of  this 
goes  to  is  their  theory  of  the  case.  They've  given  you  the  version 
they  want  you  to  think  PFC  Manning  saw.  Well  there's  another 
version,  and  that's  the  version  the  defense  has  given  the  Court  that 
would  be  inconsistent  with  their  theory. 

MJ:  Just  to  make  sure  I  understand  the  testimony,  is  it 

defenses  —  as  I  understood  the  testimony,  and  correct  me  if  I'm 
wrong,  when  you  pull  up,  or  the  investigator  testified  when  he  pulls 
up  WikiLeaks  today  you  get  a  multiple  number  of  these  lists. 

ADC [CPT  TOOMAN] :  I  believe  his  testimony.  Your  Honor,  was  he 

couldn't  get  to  the  list  when  he  went  to  WikiLeaks.  He  would  have  to 
Google  search  WikiLeaks  most  wanted  list  2009  and  then  multiple 
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1  versions  come  up.  But  when  he  actually  goes  to  WikiLeaks,  he 

2  couldn't  find  it.  And  so  just  based  on  that,  you  see  multiple 

3  versions  come  up,  the  government's  chosen  the  one  that  is  consistent 

4  with  their  theory;  not  the  one  that  advances  a  fact  in  evidence,  the 

5  one  that's  consistent  with  their  theory.  It's  no  more  likely  because 

6  they're  basically  an  unsorted  version  and  a  sorted  version.  The 

7  unsorted  version  has  the  introductory  language  that  talks  about 

8  WikiLeaks  mission  and  wanting  to  have  political  impact  and  things 

9  like  that.  That's  the  one  that  talks  about,  that  really  talks  about 

10  the  state  of  mind  and  the  intent  and  the  plan  of  WikiLeaks.  That's 

11  not  the  version  the  government's  offered  because  that's  not 

12  consistent  with  their  theory  that  WikiLeaks  - 

13  MJ:  I  understand  that. 

14  ADC [CPT  TOOMAN] :  So  it's  not  —  it  doesn't  go  to  a  fact  in 

15  evidence.  The  government  should  have  introduced  both  versions  if  they 

16  think  he  had  just  as  likely  an  opportunity  to  see  the  unsorted 

17  version  as  he  had  the  sorted  version. 

18  MJ:  That's  why  we  have  an  adversarial  process,  right? 

19  ADC [CPT  TOOMAN]:  Yes,  ma'am.  Absolutely.  To  us  though  it's 

20  clear  that  it  doesn't  go  to  any  fact  in  evidence,  or  it  doesn't  go  to 

21  making  something  more  or  less  likely,  it  just  goes  to  their  theory  of 

22  the  case,  and  that's  not  the  basis  for  admissibility.  It  has  to  make 
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a  fact  in  consequence  more  or  less  likely.  And  the  list  and  the 
Tweets,  they  don't  do  that. 

MJ:  Thank  you. 

ADC [CPT  TOOMAN] :  Thanks,  ma'am. 

MJ:  Government,  any  final  reply? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

MJ:  I'd  also  ask  you  to  distinguish  Novak. 

ATC [CPT  von  ELTEN]:  May  I  have  a  moment.  Your  Honor? 

[There  was  a  brief  pause  while  the  assistant  defense  counsel 
consulted  with  co-counsel . ] 

MJ:  Yes. 

ATC [CPT  von  ELTEN]:  Would  you  like  me  to  start  by  distinguishing 
Novak ? 

MJ:  Yes,  please. 

ATC [CPT  von  ELTEN]:  First  of  all,  ma'am,  Novak  admits  the 
reliability  of  Internet  Archive  results  for  the  availability  of 
information  to  the  public  in  prior  art  cases. 

MJ:  In? 

ATC [CPT  von  ELTEN]:  Prior  art  cases.  So  what  is  known  about  the 
originality  of  a  patent  claim.  Novak  sits  apart  from  other  cases  in 
its  skeptical  treatment  of  electronic  evidence  and  the  Internet 
Archive  in  particular.  The  United  States  has  provided  other  cases 
where  the  Internet  Archive  has  been  relied  on  in  adversarial 
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proceedings  based  on  affidavits  provided.  The  defense  has  cited 
where  affidavits  have  been  sufficient  to  justify  the  reliability  of 
the  Internet  Archive. 

MJ:  I  think  I  asked  you  earlier  if  any  criminal  cases  that  you 

were  aware  of  that  allowed  Internet  Archive  and  you  gave  me  one.  Are 
there  others? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am.  That's  the  only  one  I'm  aware 
of,  ma'am.  Ma'am,  Google  cache  or  any  automatically  generated  result 
is  a  machine  generated  process  and  it's  not  hearsay  any  more  than  a 
photograph.  The  defense  has  submitted  evidence  in  its  brief 
attesting  to  the  reliability  of  the  Internet  - 

MJ:  Let  me  go  back.  You  talked  about  Google  cache  is 

automatically  generated  and  the  result  is  not  hearsay.  I  believe  the 
defense's  position  to  me  was  it  is  a  statement  by  Google  cache 
basically  saying  that  what  I  am  pulling  up  is,  in  fact,  what  was 
there  in  2009. 

ATC [CPT  von  ELTEN]:  Ma'am,  it's  a  kin  to  server  logs.  Google 
cache  just  says  this  is  a  recent  version  as  Google  has  found,  so  it's 
a  kin  to  server  logs.  They  just  automatically  generate  the  results 
based  on  the  automated  process. 

MJ:  Okay. 

ATC [CPT  von  ELTEN]:  But  as  for  the  evidence  the  defense  has 
provided  to  the  authenticity,  Enclosure  1,  I  believe. 
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MJ:  Of  the  defense  brief? 

ATC [CPT  von  ELTEN] :  May  I  quote  it,  ma'am?  I  will  address 
Google  cache  and  the  Wayback  machine  separately,  although  most  of  the 
information  applies  to  both.  Both  the  Google  cache  and  the  Wayback 
machine  contain  information  at  only  one  point  in  time.  The  Google 
cache  let's  you  know  the  page  that  you  are  viewing  is  only  a  snapshot 
of  how  a  page  is  when  it  looked  at  a  specific  time.  Ma'am,  that  is 
exactly  what  the  United  States  is  offering  this  for.  Further,  the 
enclosure  states,  'the  Wayback  machine  keeps  multiple  copies  of  the 
same  capture  on  different  days.'  Again,  ma'am,  that  is  what  the 
United  States  is  offering  this  for,  is  that  it  was  captured  on  this 
date.  And  finally,  I  quote,  'For  any  of  the  cache  services  you  are 
essentially  looking  through  a  window  at  a  picture  of  what  occurred, ' 
end  quote.  The  defense  has  raised  concerns. 

MJ:  Let  me  ask  another  question  on  that  and  I'll  ask  the 

defense  this  too.  You  talked  about  —  The  defense  has  —  This 
enclosure  talks  about  webs  being  sort  of  streaming.  You  know,  if 
you're  watching  CNN  it  changes  every  minute,  they  got  a  new  story 
now,  and  then  you  pull  it  up  a  minute  later  and  that  story 
disappeared  and  they  have  a  new  one  at  the  top.  Is  that  the  same 
thing  we're  talking  about  when  we're  talking  about  these  lists?  Are 
they  fixed  documents  or  are  they  things  constantly  changing  in  the 
stream? 
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ATC [CPT  von  ELTEN] :  Yes,  ma'am,  a  document  as  it  exists  on  a  web 
page  can  be  changed.  However,  in  this  case.  Prosecution  Exhibit  109 
for  Identification  is  a  snapshot  of  what  the  document  looked  like  in 
November  of  2009.  Prosecution  Exhibit  110  is  a  snapshot  of  the 
document  as  it  exists  today.  As  defense  has  pointed  out,  the 
introductory  language  has  been  changed,  but  much  of  the  content  is 
substantially  the  same. 

MJ:  What's  your  position  with  respect  to  Defense  Exhibit 

Foxtrot?  This  also  exists  today.  If  I  compare  it  to  Prosecution 
Exhibit  109,  it's  not  the  same. 

ATC [CPT  von  ELTEN]:  No,  ma'am,  it's  not  exactly  the  same,  but 
there  are  substantial  overlap.  And  that  overlap  authenticates  that 
this  is  how  it  existed  back  then.  The  United  States  has  provided 
independent  evidence  through  the  Internet  Archive  that  that  is  how  it 
existed  back  then,  and  changes  have  been  made  in  the  interim,  but  the 
fact  that  a  few  changes  have  been  made  also  authenticates  the 
document . 

MJ:  All  right. 

ATC [CPT  von  ELTEN]:  Defense  raised  the  content  of  the  affidavit. 
Ma'am,  I'd  just  like  to  point  out  the  elements  on  that  attested 
personal  knowledge,  that  the  information  was  captured  at  or  near  the 
time,  was  part  of  regularly  conducted  activity,  and  that  they  were 
true  and  accurate  copies,  which  makes  it  a  business  record. 
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Furthermore,  Your  Honor,  there  is  case  law  to  support  where  a 
business  integrates  documents  that  those  qualify  as  records  of  the 
organization  actually  holding  them.  United  States  v.  Dababneh. 

MJ:  Is  that  in  your  brief? 

ATC [CPT  von  ELTEN] :  No,  ma'am,  it's  not. 

MJ:  Okay.  What's  the  cite  for  Dababneh ? 

ATC [CPT  von  ELTEN]:  United  States  v.  Dababneh  is  28  M.J.  929. 
United  States  also  points  to  - 

MJ:  Is  that  a  C.A.A.F.  case? 

ATC  [CPT  von  ELTEN]:  No,  ma'am,  that  is  a  United  States  Marine 
Corps  Court  of  Military  Review. 

MJ:  What  year? 

ATC [CPT  von  ELTEN]:  1989. 

MJ:  Okay. 

ATC [CPT  von  ELTEN]:  And  also  a  Fifth  Circuit  case.  United  States 
v.  Orich,  which  is  a  1978  case.  I  have  a  copy  for  the  Court  and  the 
defense,  ma'am. 

MJ:  Thank  you. 

ATC [CPT  von  ELTEN]:  May  I  approach? 

MJ:  Yes. 

ATC [CPT  von  ELTEN]:  Furthermore,  ma'am,  there's  no  evidence  of 
tampering  or  intent  to  tamper.  And  Prosecution  Exhibit  109  is  a 
different  list  from  Prosecution  Exhibit  —  or  for  —  109  for 
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Identification  is  a  different  list  from  Prosecution  Exhibit  110.  And 
the  defense  has  offered  no  evidence  that  Prosecution  Exhibit  109  for 
Identification  has  changed.  The  arguments  that  they  make  should  go 
to  weight.  And  to  clarify  one  additional  fact,  ma'am.  Agent  Shaver 
testified  PFC  Manning  used  Mozilla  Firefox  on  his  SIPRNET  computer 
which  was  configured  to  delete  browsing  history.  He  has  not 
testified  regarding  the  NIPR  computer  to  which  PFC  Manning  had 
access . 

MJ:  Wait  a  minute.  Say  that  one  more  time. 

ATC [CPT  von  ELTEN] :  PFC  Manning  —  I'm  sorry.  Agent  Shaver 
testified  that  PFC  Manning  used  Mozilla  Firefox  on  his  SIPRNET 
computer.  Agent  Shaver  testified  that  the  Firefox  browser  was 
configured  to  delete  browsing  history. 

MJ:  And  this  is,  had  Mozilla  on  which  computer? 

ATC [CPT  von  ELTEN]:  On  his  SIPRNET  computer.  Agent  Shaver  has 
not  testified  concerning  the  NIPR  computer  to  which  PFC  Manning  had 
access  to  in  the  SCIF  where  he  worked  —  where  PFC  Manning  worked. 

MJ:  And  that  is  relevant  why? 

ATC [CPT  von  ELTEN]:  I  just  wanted  to  clarify  what  I  told  you 
earlier.  Your  Honor. 

ADC [CPT  MORROW]:  If  I  could,  Your  Honor,  he  just  misspoke 

earlier,  so  we're  clarifying  - 

MJ:  Okay. 


8989 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q  O 


ADC [CPT  MORROW]:  - The  fact  that  he  misspoke. 

MJ:  Okay. 

ATC [CPT  von  ELTEN] :  Finally,  Your  Honor,  the  defense  raises 
arguments  regarding  the  weight  of  the  evidence,  not  the 
admissibility,  and  should  present  that  evidence  in  the  case  in  chief. 
Thank  you. 

MJ:  Hold  on  just  a  minute. 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  M.R.E.  902(11)  requires  the  certificate  to  state  that  the 

record  was  made  at  or  near  the  time  of  the  occurrence  of  the  matter 
set  forth  by  or  with  information  transmitted  by  a  person  with 
knowledge  of  those  matters.  How  does  the  attestation  from  archive.org 
say  that? 

ATC [CPT  von  ELTEN]:  Ma'am,  the  attestation  says  that  the  records 
were  created  in  Internet  archive  results  at  or  near  the  time. 
Paragraph  2:  To  the  best  of  the  electronic  systems  involved  and 
accurately  record  and  reflect,  such  files  were  captured  at  or  near 
the  time  the  date  reflected  in  the  URL. 

MJ:  This  is  where  I'm  confused  again.  This  crawling  process  is 

Internet.org  crawling  or  is  a  third-party  crawling? 

ATC [CPT  von  ELTEN]:  Internet  Archive  is  attesting  that  the 
documents  were  captured  at  the  time  reflected  in  the  URL. 

MJ:  Captured  by  Internet.org  or  captured  by  someone  else? 
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ATC [CPT  von  ELTEN] :  Either  system,  ma'am. 

MJ:  So  it  could  be  a  donated,  something  donated  as  well? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am.  But  Internet  archive  relies  on 
those  results  and  integrates  them  into  their  own  records.  And, 
ma'am,  the  defense  has  presented  no  evidence  that  the  WikiLeaks  — 
that  Prosecution  Exhibit  109  for  Identification  was  donated. 

MJ:  Well,  you  haven't  presented  any  that  this  was  captured  by 

Internet  Archive,  have  you? 

ATC [CPT  von  ELTEN]:  We  have  the  attestations  saying  that  it's 
accurately  reflected  in  the  records. 

MJ:  It  says  were  captured  or  were  received  by  a  third-party. 

So  we  don't  know  really. 

ATC [CPT  von  ELTEN]:  There's  no  definitive  evidence,  ma'am. 

MJ:  Defense,  any  final  words?  Well,  the  government  has  the 

final  words,  but  any  further  words? 

ADC [CPT  TOOMAN] :  Yes,  ma'am.  I  believe  you  wanted  us  to 

address  whether  or  not  the  list  or  the  web  is  a  fixed  document. 

MJ:  Yes.  I  mean  do  you  see  the  distinction  here?  As  I'm 

looking,  is  this  a  streaming  video,  is  this  like  Prosecution  Exhibit 
109  for  Identification,  when  you  pull  it  up,  is  it  like  CNN,  it 
changes,  something  drops  off  at  the  end  and  something  new  comes  up  in 
the  beginning? 
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ADC [CPT  TOOMAN] :  Well,  we  don't  know.  Your  Honor.  We  would 

say  that  based  on  Defense  Exhibit  Foxtrot,  that  would  suggest  that 
this  is  a  list  that  is  being  added  to.  There's  the  opportunity  to 
add  things  to  it,  and  so  in  our  mind  that  would  make  it  a  live 
document.  Things  could  get  added  later,  maybe  they'd  get  something 
and  then  take  it  off,  so  we  don't  know.  But  certainly  the 
introductory  language  would  suggest  that  it  is  a  living  document 
that's  going  to  change  over  time. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  If  I  may  publish,  Your  Honor,  the  affidavit 

the  defense  received  from  Mr.  Butler. 

MJ:  Certainly.  That  would  be,  for  the  record.  Enclosure  10  to 

the  defense  brief? 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  I  will  zoom  in  here  on 

Paragraph  7.  And  Paragraph  7  of  this  says  that  for  the  year  Internet 
Archive  largely,  and  I'm  not  quoting  here,  but  it  mostly  relied  on 
third  parties  to  donate.  Third  parties  were  the  ones  making  the 
donations.  So  in  this  case  we  don't  know.  It's  possible  that 
Internet  Archive  could  have  done  it,  but  it's  more  likely  that  it 
would  have  come  from  a  third-party.  And  this  attestation  says  that 
these  were,  they  don't  know  if  the  person  who  got  it  has  personal 
knowledge.  The  last  sentence  there  of  Paragraph  7,  do  not  affirm 
that  these  web  archives  were  set  forth  by,  or  from  information 
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transmitted  by  people  with  the  knowledge  of  the  information  recorded 
therein.  So  we  would  say  that  it  fails  the  902(11)  analysis.  And 
that's  in  part  because  the  snapshot  that  these  archives  give  us  are 
just  that,  they're  a  snapshot,  and  we  don't  know  whether  or  not  the 
process  by  which  they  were  acquired  is  valid  because  we're  not 
hearing  from  those  people.  The  government  referenced  Mozilla  Firefox 
and  deleting  browsing  history.  Your  Honor,  I  don't  recall  if  we 
asked  Agent  Shaver  this  question,  but  if  we  didn't,  we'll  ask  him  the 
next  time  he's  on  the  stand  and  he'll  tell  us  that  deleting  Internet 
history  in  Mozilla  Firefox  is  a  default  setting.  So  if  he  hasn't 
already  said  it,  he  will  say  it. 

MJ:  I  don't  recall  him  saying  it.  That  doesn't  necessarily 

mean  it's  not  on  the  record. 

ADC [CPT  TOOMAN] :  I  don't  recall  him  saying  it  either,  but  I'm 

proffering  to  you  he  will  say  it  the  next  time  he's  on  the  stand. 

And  so  that's  - 

MJ:  So  the  web  deleting  history  is  the  default  setting? 

ADC [CPT  TOOMAN]:  The  government  just  brought  up  that  Mozilla 

Firefox  was  set  up  to  clear  browsing  history. 

MJ:  I  got  it.  Government,  do  you  agree  with  that? 

ATC [CPT  MORROW]:  Your  Honor,  yes.  It  was  configured  to 

delete  browsing  history,  and  we  would  agree  that  that  may  or  may  not 
be  the  default  assist  setting. 
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MJ:  They're  saying  it  is  the  default  setting.  You're  saying  it 

may  or  may  not  be. 

ATC [CPT  MORROW]:  I  don't  recall  whether  that  is  the  default 

setting  of  Mozilla.  It  could  be.  But  the  point  is  that  history 
doesn't  exist  because  it  was  configured  that  way. 

MJ:  All  right.  You  all  can  ask  him  the  question.  I  don't  have 

any  evidence  before  me  otherwise. 

ADC [CPT  TOOMAN] :  Yes,  ma'am.  We've  only  done  a  very  brief 

review  of  the  Dababneh  case,  but  we  would  point  out  that  that  is  the 
check  case,  like  Your  Honor  mentioned,  and  we  think  we've  addressed 
the  differences  there.  With  the  check  you  can  kind  of  look  at  it  and 
see.  And  also,  that  was,  it  appeared  that  that  was  kind  of  a  normal 
thing,  like  these  people  would  always  send  checks  and  so,  again, 
there  was  that  understanding  of  how  the  system  was  working.  Here 
with  Internet.org  or  archive.org  it's  an  ad  hoc  process.  You  have 
someone,  maybe  I  decide  one  day  that  I  want  to  do  it  and  I  give  them 
some  stuff  and  I  decide  I  don't  want  to  do  it  anymore.  So  Internet 
Archive.org  doesn't  have  any  knowledge  of  the  process. 

MJ:  Assume  what  you  said  is  correct  though.  Would  that  have 

any  bearing  on  the  validity  of  what's  there  if  it  may  not  be 
complete?  You  may  not  be  able  to  go  back  to  January  1st  of  2009  and 
see  every  Internet  site  in  existence,  but  does  that  mean  the  ones  you 
can  see  have  reliability  issues? 
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ADC [CPT  TOOMAN] :  We  think  it  does.  We  think  that  the  person 

who  actually  took  the  site,  you  have  to  have  personal  knowledge, 
someone  with  personal  knowledge.  And  certainly  Internet  Archive  has 
personal  knowledge  of  what  someone  gave  them.  And  they  can  tell  you 
all  day  this  is  what  Bill  gave  or  whoever  gave  us,  but  they  can't  say 
that  the  process  Bill  used  was  a  valid  process  or  stuff  hasn't  been 
tampered  with.  Subject  to  your  questions,  ma'am. 

MJ:  I  think  I  just  asked  them.  Thank  you.  Government,  any 
last  words? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am.  The  attestation  highlighted  by 
defense  also  says  that  the  archive  data  obtained  from  the  third-party 
organizations  was,  quote,  'captured  by  automated  electronic  systems, ' 
end  quote. 

MJ:  You're  reading  Paragraph  7  again? 

ATC [CPT  von  ELTEN]:  Yes,  ma'am. 

MJ:  All  right.  Anything  else? 

ATC [CPT  von  ELTEN]:  No,  ma'am. 

MJ:  All  right.  I  believe  we  discussed  yesterday  that  we  will 

be  holding  a  status  conference  on  Tuesday  at  0930  and  the  plan  will 
be  then  to  proceed  with  additional  taking  of  evidence  on  Wednesday  at 
0930.  Is  that  the  understanding  of  the  parties? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 
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MJ:  All  right.  Is  there  anything  else  that  we  need  to  address 

that's  going  to  disturb  that? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  Anything  else  we  need  to  address  at  all  before  we  recess 

the  Court? 

TC [MAJ  FEIN]:  No,  ma’am. 

CDC [MR.  COOMBS]:  No,  ma'am. 

MJ:  Court  is  in  recess. 

[The  court-martial  recessed  at  1110,  18  June  2013.] 

[END  OF  PAGE] 
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[The  court-martial  was  called  to  order  at  0942,  25  June  2013.] 

MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

the  parties. 

TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  all  parties  when  the 
Court  last  recessed  are  again  present  with  the  following  exceptions: 
Mr.  Chavez,  court  reporter,  is  absent.  Mr.  Robertshaw,  court 
reporter,  is  present.  Your  Honor,  correction.  Mr.  Robertshaw  was 
here  last  week.  It  was  so  long  ago  I  forgot.  Also  Captain  von  Elten 
is  absent;  Captain  Whyte  is  present. 

MJ:  All  right.  Thank  you.  Do  you  have  a  report  for  the  media 

operations  center  as  well? 

TC [MAJ  FEIN]:  Yes,  ma'am.  Ma'am,  as  of  this  morning  at  the 
start  of  the  session  there  are  11  members  of  the  media  at  the  media 
operation  center,  one  stenographer  and  there's  approximately  15 
spectators  in  the  courtroom.  There  are  no  spectators  in  the  trailer, 
although  the  trailer  is  available  to  be  used,  if  needed. 

MJ:  All  right.  Thank  you.  Counsel  and  I  met  in  a  brief  R.C.M. 

802  conference  this  morning.  Once  again,  those  are  conferences  where 
I  go  over  logistics  and  scheduling  issues  with  counsel,  and  we  have 
arrived  at  an  order  of  march  for  this  week.  Today  will  be  a 
relatively  short  session.  We're  going  to  basically  just  introduce 
what  the  parties  have  added  to  the  record  since  the  last  session,  and 
then  at  11:30  today  we  will  be  having  oral  argument  with  respect  to 
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judicial  notice  motions  that  have  been  filed  by  both  sides.  The 
defense  filed  one,  the  prosecution  then  filed  another  one.  And  then 
the  Court  will  be  taking  that  under  advisement  and  the  Court  will  go 
in  recess  for  today.  And  tomorrow  we  will  begin  again  with  the 
presentation  of  evidence. 

Now,  Major  Fein,  would  you  like  to  discuss,  for  the  record 
I  believe  we  have  a  grant  of  immunity  that  has  been  signed? 

TC [MAJ  FEIN]:  Yes,  Your  Honor.  What  has  been  marked  as 
Appellate  Exhibit  578  is  a  grant  of  immunity  for  a  witness  based  off 
a  request  —  well,  the  government's  request.  Also,  Your  Honor,  to 
account  for  housekeeping  purposes,  the  government's  response  to 
defense  motion  for  judicial  notice  has  been  marked  as  Appellate 
Exhibit  574.  The  defense  —  The  government's  motion  for  judicial 
notice  and  the  defense's  response  will  be  marked  once  they're 
complete,  as  576  and  577  to  be  reflected  later.  Also  the  government 
order  of  witness  list  update  has  been  marked  as  Appellate  Exhibit 
575. 

MJ:  Just  for  the  record,  at  the  802  conference  the  government 

advised  me  that  the  government  had  already  emailed  to  the  defense  and 
the  Court  with  respect  to  what  their  motion  for  judicial  notice  was 
had  an  error  in  it,  and  they've  revised  that  error  in  a  corrected 
copy  to  be  filed  for  the  record.  Defense's  response  to  that  motion 
responded  to  the  motion  as  it  originally  was.  It's  just  a  minor 
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change.  And  the  defense  also  intends  then  to  file  a  corrected  copy 
of  its  response.  The  original  copies  are  not  going  to  go  into  the 
record  at  this  point  because  they're  not  accurate  and  the  parties 
don't  want  them  in  the  record,  so  the  corrected  copies  will  be  the 
judicial  notice  motions.  Is  that  accurate? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

MJ:  Okay.  Now,  two  issues  also  arose  at  the  R.C.M.  802 

conference.  One  of  them  is  whether  the  government  asked  whether  the 
Court  would  require  classified  stipulations  or  portions  of 
stipulations  that  contained  classified  information  to  be  read  on  the 
record  in  classified  sessions.  I  asked  the  defense  for  their 
position  on  that.  The  Court  can  read  the  stipulation,  I'm  the  finder 
of  fact,  but  defense,  what  was  your  position  on  that? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor.  The  defense  does  not  have 

an  objection  to  the  Court  reading  the  classified  portions  and 
therefore  not  requiring  the  government  to  read  those  in  a  closed 
session.  Additionally  the  defense  does  not  have  an  objection  to  the 
Court  having  access  to  the  stipulations  of  expected  testimony  during 
your  deliberations. 

MJ:  Thank  you. 

TC [MAJ  FEIN]:  And,  ma'am,  also  I  just  add  one  more  thing 
discussed  in  chambers.  The  classified  stipulations  of  expect 
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excuse  me,  the  stipulations  of  expected  testimony  will  be  portion 
marked,  so  those  portions  that  are  unclassified  will  be  read  on  the 
public  record.  It's  only  those  portions  that  are  classified  that 
won't  be. 

MJ:  Is  there  anything  else  that  we  need  to  address  at  this 

point  that  has  not  been  discussed? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  All  right.  Is  11:30  sufficient  for  the  parties  to 

reconvene  and  argue  the  judicial  notice  motions? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

MJ:  Court  is  in  recess. 

[The  court-martial  recessed  at  0947,  25  June  2013.] 

[The  court  was  called  to  order  at  1137,  25  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  Major  Fein,  would  you  like  to  add  for  the  record  what  has 
been  added  as  appellate  exhibits  or  other  exhibits? 

TC [MAJ  FEIN]:  Yes,  ma'am.  Ma'am,  first  is  an  appellate 
exhibit,  what  has  been  marked  as  Appellate  Exhibit  580  is  the 
assumption  of  command  orders  for  Major  General  Jeffrey  Buchanan  the 
new  commander.  United  States  Army,  Military  District  of  Washington 
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and  the  general  court-martial  convening  authority  for  this  court- 
martial  effective  as  of  0001  hours  24  June  2013.  Your  Honor,  what 
has  been  marked  —  I'm  sorry.  May  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

TC [MAJ  FEIN]:  Your  Honor,  what  has  been  marked  as  Prosecution 
Exhibit  135  Alpha  is  the  same  document  that  was  previously  marked 
Prosecution  Exhibit  135  Alpha,  that  is  a  stipulation  of  expected 
testimony  from  Miss  Cathryn  Strobl.  This  stipulation  of  expected 
testimony  was  read  onto  the  record  but  there  was  a  mistake  in 
redactions  and  that  mistake  has  been  corrected.  The  defense  has  been 
provided  a  copy  and  so  has  the  Court  and  the  record  as  well.  Again, 
that's  Prosecution  Exhibit  135  Alpha. 

Also,  Your  Honor,  what  has  been  replaced  in  the  record  with 
a  cleaner,  more  legible  copy  is  Prosecution  Exhibit  138  is  for 
Identification  and  139  for  Identification.  Those  are  screenshots  of 
the  open  source  center  log-in  account  information,  again,  Prosecution 
Exhibit  138  for  Identification  and  Prosecution  Exhibit  139  for 
Identification.  Those  both  are  referenced  by  the  stipulation  of 
expected  testimony  of  Mr.  Maxwell  Allen,  Prosecution  Exhibit  137. 

And  United  States  moves  to  admit  Prosecution  Exhibits  138  and  139  for 
Identification  as  Prosecution  Exhibits  138  and  139. 

MJ:  Any  objection? 

ADC [MAJ  HURLEY]:  No,  ma'am. 
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MJ:  All  right.  I  notice  Prosecution  Exhibits  138  for 

Identification  and  139  for  Identification  are  more  legible  than  the 
original  copies.  As  such,  the  Court  will  admit  them  in  the  absence 
of  defense  objection.  Is  there  anything  else  we  need  to  address 
before  we  turn  to  the  motions  at  issue? 

TC [MAJ  FEIN]:  Yes,  ma'am.  The  government's  motion  for  judicial 
notice,  its  corrected  copy  has  been  marked  as  Appellate  Exhibit  576 
and  the  defense's  response  to  the  government's  motion  for  judicial 
notice,  its  updated  response,  has  been  marked  as  Appellate  Exhibit 
577.  That  is  all  the  documents  that  have  been  marked.  Your  Honor. 

MJ:  All  right.  Are  the  parties  ready  to  proceed  with  oral 
argument? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

ATC [CPT  WHYTE]:  Yes,  ma'am. 

MJ:  Why  don't  we  begin  with  the  defense  requests  for  judicial 

notice  as  they  were  filed  first?  Captain  Tooman. 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  Ma'am,  I'll  begin  with  the 

Apache  classification  review  which  was  conducted  by  Rear  Admiral 
Donegan.  The  defense  believes  this  is  proper  for  judicial  notice 
because,  first  off,  it's  relevant  to  the  charges  for  the  Apache 
video,  whether  or  not  that  was  closely  held.  And  in  response  to  the 
government ' s  - 
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MJ:  Let  me  just  ask  you  a  question.  I'm  sorry  to  interrupt  you 

a  little  bit.  Government,  I  believe  in  your  response  you  said  that 
you  —  the  government  hasn't  presented  any  evidence  and  doesn't 
intend  to  present  any  evidence  that  that  video  was  classified. 

ATC [CPT  WHYTE]:  That's  correct.  Your  Honor.  It's  not 

inconsistent  with  the  government's  position  that  it's  not  classified. 
It's  an  unclassified  video. 

MJ:  Are  you  willing  to  stipulate  to  that? 

ATC [CPT  WHYTE]:  Yes,  ma'am,  we  will  stipulate  that  it  was  an 

unclassified  video.  We  obviously  will  not  stipulate  that  it  was  not 
closely  held. 

MJ:  So  if  you're  stipulating  that  it's  an  unclassified  video, 

what  is  the  additional  relevance  of  this  statement  by  Rear  Admiral 
Donegan? 

ADC [CPT  TOOMAN] :  We  believe  that  it  would  rebut  Prosecution 

Exhibit  117  which  is  the  stipulation  for  CW5  Larue. 

MJ:  Okay.  Hold  on  just  a  minute.  And  that  is  where  in  your 

brief? 

ADC [CPT  TOOMAN]:  It  wasn't  in  our  brief,  Your  Honor,  because 

we  weren't  aware  of  that  being  the  government's  position  when  we 
filed  our  brief,  when  we  filed  our  request.  At  that  point  we  weren't 
aware  the  government  was  taking  the  position  that  the  memo  from 
Admiral  Donegan  was  consistent  with  what  they  have  put  forward. 
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MJ:  So  it  rebuts  testimony  of  Chief  Larue? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  May  I  see  Prosecution  Exhibit  117,  please? 

ADC [CPT  TOOMAN]:  We  point  your  attention  to  Paragraph  8, 

ma'am,  in  which  Chief  Larue  discusses  his  opinion  of  the  video 
contains  TTPs  and  sensitive  Army  Aviation  information.  We  believe 
the  memorandum  from  Rear  Admiral  Donegan  to  the  Judge  Advocate 
General  of  the  Army  rebuts  that  and  says  that  there  are  no  TTPs. 

MJ:  All  right. 

ADC [CPT  TOOMAN]:  And  the  defense  believes  that  this  would  be 

proper  for  judicial  notice  using  the  test  from  Salerno.  This  is  an 
official  correspondence  from  Rear  Admiral  Donegan  to  a  three  star 
general,  the  Judge  Advocate  General  of  the  Army.  It's  on  official 
letterhead.  For  those  reasons  we  think  it  has  the  reliability  of 
testimony.  There's  no  reason  to  believe  that  Admiral  Donegan  was  not 
being  forthright  in  his  correspondence  to  TJAG.  So  we  believe  it 
would  satisfy  the  test  of  Salerno.  The  government  also  points  out 
that  Admiral  Donegan  is  on  their  witness  list  for  sentencing;  that 
won't  do  us  any  good  to  cross-examine  him  on  sentencing  about 
something  relevant  on  the  merits. 

MJ:  Is  there  a  stipulation  of  expected  testimony  from  him  or 

not? 

ADC [CPT  TOOMAN]:  For  Admiral  Donegan? 
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MJ:  Yes. 

ADC [CPT  TOOMAN] :  No,  ma'am.  He's  just  a  sentencing  witness. 

MJ:  What  is  the  defense's  position  with  respect  to  the  first 

part  of  the  Salerno  test  whether  it's  an  assertion  of  fact  or  an 
opinoin? 

ADC [CPT  TOOMAN]:  We  believe  this  is  an  assertion  of  fact.  We 

don't  have  —  We  have  Rear  Admiral  —  or  I'm  sorry.  Vice  Admiral 
Harward  who  is  the  OCA.  We  have  a  stipulation  of  testimony  from  him 
for  the  CENTCOM  stuff.  He  doesn't  address  this  particular  video  and 
so  our  position  would  be  this  correspondence  from  Rear  Admiral 
Donegan  is  the  closest  thing  we  have  to  an  OCA  assessment  of  the 
video. 

MJ:  Okay.  Why  don't  we  run  through  all  three  of  them  and  then 

I'll  let  the  government  talk. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  All  right.  I  think  I  understand  your  position. 

ADC [CPT  TOOMAN]:  Okay.  With  respect  to  the  transcript,  the 

defense  —  the  transcript  of  the  Apache  video,  the  defense  has  no 
issue  with  the  changes  that  the  government  made  and  so  it  seems  from 
their  response  that  they  would  be  okay  with  the  Court  taking  judicial 
notice  of  the  second  enclosure  from  their  response. 
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MJ:  Does  the  government  have  any  objection  to  me  taking 

judicial  notice  of  the  enclosure,  second  enclosure  to  your  response 
as  edited? 

ATC [CPT  WHYTE]:  Yes,  ma'am.  We  would  agree  to  stipulate  to 

the  transcript  as  being  a  verbatim  transcript  of  the  video.  We  don't 
think  it's  actually  proper  for  judicial  notice. 

MJ:  Why  not? 

ATC [CPT  WHYTE]:  Because  there  are  no  facts  to  support  that 

this  actually  is  correct,  and  also  this  isn't  commonly  known  in  the 
community. 

MJ:  So  if  you're  stipulating  that  this  is  an  accurate 

transcript,  if  the  defense  were  to  offer  the  transcript  itself,  there 
would  be  no  authentication  objection,  right? 

ATC [CPT  WHYTE]:  That  is  correct,  ma'am. 

MJ:  So,  Captain  Tooman,  what's  the  difference?  I  mean,  why 

should  I  take  judicial  notice  of  it  if  you  can  just  introduce  it  as 
an  exhibit? 

ADC [CPT  TOOMAN]:  That's  fine.  Your  Honor.  We'll  offer  it  as 

an  exhibit.  I  would  think  you  could  because  it's  easily  verifiable. 
You  can  watch  the  video  and  follow  along  and  you  can  see  that  it's 
accurate.  So  we  think  that  it  is  proper  for  judicial  notice  because 
you  could  easily  verify  it. 
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MJ:  Okay.  Government,  I  know  I'm  going  to  let  you  argue  here, 

but  if  I  go  through  the  video  and  I  go  step  by  step  and  this 
transcript  is  —  is  this  going  to  be  exactly  what  the  defense  says, 
that's  what  I'm  going  to  be  hearing  in  Enclosure  2? 

ATC [CPT  WHYTE]:  Yes,  ma'am,  it  is.  It's  verbatim.  We 

confirmed. 

MJ:  Okay.  I  understand.  Is  that  —  So  that's  the  only 

objection  that  I  saw  that  the  government  had  to  the  Court  taking 
judicial  notice  of  that  transcript.  Is  that  correct? 

ATC [CPT  WHYTE]:  Yes,  ma'am. 

MJ:  All  right.  Captain  Tooman,  proceed. 

ADC [CPT  TOOMAN]:  Thank  you,  ma'am.  I  guess  the  last  piece  at 

issue  would  be  the  relevance  of  the  FOIA  correspondence  related  to 
the  Farah  or  the  Gharani  video.  There  we  think  this  is  relevant. 

The  government's  response  to  this  suggested  there  was  no  evidence 
before  the  Court  that  PFC  Manning  had  any  knowledge  of  this.  We 

would  point  the  Court  to  Prosecution  Exhibit  30  which  - 

MJ:  Why  isn't  that  in  your  brief? 

ADC [CPT  TOOMAN]:  Again,  Your  Honor,  we  weren't  aware  of  the 

government's  objection  when  we  drafted  our  brief. 

MJ:  All  right.  Your  brief  talks  about  the  providence  inquiry. 

Does  the  defense  agree  with  me  that  nothing  that  would  the 
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providence  inquiry  establishes  elements?  Whatever  is  said  in  the 
providence  inquiry  is  not  evidence  before  the  Court? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  So  I'm  summarily  ruling  against  the  defense  in  that 

respect . 

ADC [CPT  TOOMAN]:  Understood.  Yes,  ma'am. 

MJ:  So  what's  Prosecution  Exhibit  30?  May  I  see  it,  please? 

ADC [CPT  TOOMAN]:  Ma'am,  those  are  the  chats  between  PFC 

Manning  and  Adrian  Lamo. 

MJ:  Before  we  get  there,  your  second  basis  that  you  have  in  the 

brief  is  it's  going  to  rebut  statements  by  Miss  Showman.  To  the 
Court's  knowledge  the  government  hasn't  introduced  those  statements. 
Is  that  an  accurate  statement  of  fact  at  this  point? 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  Okay. 

ATC [CPT  MORROW]:  Your  Honor,  if  I  may,  are  we  referring  to 

the  FOIA  request  for  the  Farah  or  the  Ghranai .  Captain  Tooman  said 
the  Gharani  video.  And  the  FOIA  request  in  this  case  is  for  the 
Apache  video. 

ADC [CPT  TOOMAN]:  I'm  sorry.  I  misspoke.  The  FOIA  request  in 

this  case  is  for  the  Apache  video.  I  am  speaking  of  the  FOIA  request 
for  the  Apache  video.  Your  Honor,  in  the  chats  between  PFC  Manning 
and  Adrian  Lamo,  PFC  Manning  on  May  25th  at 
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MJ:  What  page? 

ADC [CPT  TOOMAN] :  I'm  not  sure  the  page  on  the  Prosecution 

Exhibit,  ma'am. 

MJ:  Why  don't  we  do  this.  Captain  Tooman?  What  I'll  do  is  I'll 

have  the  government  get  up  and  put  their  position  with  respect  to  the 
first  judicial  notice  request  at  issue,  and  then  the  defense  team  can 
find  the  appropriate  page  and  when  you  come  back  up  for  reply,  we  can 
address  that. 

ADC [CPT  TOOMAN]:  Okay,  Your  Honor. 

MJ:  Is  there  anything  else  that  you  want  to  - 

ADC [CPT  TOOMAN]:  Well,  I  think  the  rest  of  our  argument  with 

respect  to  this  will  rely  on  the  chats. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  Thank  you. 

MJ:  Government,  first  of  all,  I  understand  from  your  brief 

you're  not  objecting  to  the  911  Page  or  messages  requests  for 
judicial  notice.  Is  that  correct? 

ATC [CPT  WHYTE]:  Yes,  ma'am. 

MJ:  In  light  of  the  fact  that  there's  no  objection,  the  Court 

will  take  judicial  notice  of  that. 

ATC [CPT  WHYTE]:  So,  ma'am,  first  with  the  defense  request 

that  this  Court  take  judicial  notice  of  the  CENTCOM  classification 
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MJ:  Can  you  speak  a  little  bit  louder? 

ATC [CPT  WHYTE]:  Yes,  ma'am.  I'm  sorry.  The  defense  is 

requesting  that  this  Court  take  judicial  notice  of  the  CENTCOM 
classification  assessment  of  the  Apache  video.  The  United  States 
obviously  opposes.  We  think  —  It's  the  government's  position  that 
this  is  not  an  assertion  of  fact.  Instead,  if  Your  Honor  reads  Rear 
Admiral  Donegan's  statement,  that  this  is  purely  his  opinion  that 
this  video  should  be  unclassified. 

MJ:  The  defense  at  oral  argument  advised  the  Court  that  it's 

being  offered  to  rebut  the  testimony  in  Prosecution  Exhibit  117  of 
CW5  Larue  regarding  the  TTPs.  Is  it  the  government's  position  that 
the  TTP  portion  of  his  declaration  is  an  opinion  versus  an  assertion 
of  fact? 

ATC [CPT  WHYTE]:  Yes,  ma'am.  We  think  it's  all  in  —  his 

entire  statement  is  an  opinion,  not  him  definitive  saying  this  is 
unclassified.  Even  the  first  few  sentences  it  says  it  s  in  our  -  I 
forget  the  words,  but  I  think  he  even  says  it's  our  opinion. 

MJ:  The  sentence  I'm  reading  it  says,  'Under  this  category, 

operational  information  may  be  unclassified  if  the  information 
describes  a  past  event  in  general  terms,  provides  no  indicators  of 
potential  future  operations,  does  not  provide  specific  locations, 
unit  data,  TTPs,  capabilities,  or  does  not  embarrass  coalition 
members .  ’ 
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ATC[CPT  WHYTE]:  Yes,  ma'am.  But  in  the  first  sentence  of  the 

second  paragraph,  where  Rear  Admiral  Donegan  says,  'In  our  view  the 
video  in  question  should  be  unclassified, '  that  statement  that  you 
just  read.  Your  Honor,  goes  towards,  again,  his  opinion.  This  is  why 
his  opinion.  This  is  why  his  opinion  is  that  it  should  be 
unclassified. 

MJ:  Well,  let  me  ask  a  question  and  I'll  ask  it  of  the  defense 

first.  Should  I  decline  to  take  judicial  notice  of  this  statement 
from  Rear  Admiral  Donegan?  Would  the  defense  be  requesting  him  as  a 
witness  for  the  merits? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  So,  government,  if  I  decline  to  —  your  basic  objection  is 

hearsay.  So  if  I  decline  to  take  judicial  notice  and  the  defense 
asks  for  him  as  a  witness,  is  the  government  prepared  to  produce  him? 

ATC [CPT  WHYTE]:  One  second,  Your  Honor. 

MJ:  Yes,  certainly. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 
with  the  trial  counsel . ] 

ATC [CPT  WHYTE]:  Well,  Your  Honor,  I  think  that  we  would 

still  prefer  to  litigate  whether  or  not  his  testimony  would  be 
relevant  for  the  merits  under  a  703  litigation. 
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MJ:  You  have  a  stipulation  of  expected  testimony  from  CW5  Larue 

saying  that  he  verified  the  results  —  let's  see,  what  does  he  say 
here.  Hold  on.  Do  you  have  Prosecution  Exhibit  117  in  front  of  you? 

ATC  [CPT  WHYTE]:  Yes,  ma'am. 

MJ:  This  witness  is  saying  that  TTPs  are  a  puzzle  and  revealing 

any  piece  can  make  the  puzzle  easier  for  adversary.  Wouldn't  the 
relevance  of  Rear  Admiral  Donegan's  testimony  to  be  to  rebut  that? 

ATC [CPT  WHYTE]:  Your  Honor,  the  defense  is  invited  to  offer 

__  Rear  Admiral  Donegan  is  just  stating  what  was  actually  included  in 
the  classification  guide  as  far  as  when  I  read  Rear  Admiral  Donegan's 
statement . 

MJ:  But  if  he's  saying  in  his  opinion  it's  not  classified, 

wouldn't  that  necessarily  entail  the  fact  that  it  wouldn't  contain  a 
TTP  or  TTPs? 

ATC[CPT  WHYTE]:  In  his  opinion,  yes,  ma'am.  Not  as  in  a 

fact,  him  definitively  saying  it  contains  nothing.  This  is  just  his 
opinion. 

MJ:  And  that  wouldn't  go  to  rebut  CW5  Larue's  opinion? 

TC [MAJ  FEIN]:  Ma'am,  may  we  have  a  moment,  please? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 
with  the  trial  counsel . ] 
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MJ:  The  Court  is  happy  to  take  a  recess  if  the  parties  would 

like . 

TC [MAJ  FEIN]:  No,  ma'am. 

TC [MAJ  FEIN]:  Your  Honor,  if  we  may,  may  another  counsel  argue 
this  one  point  for  the  government? 

MJ:  Yes.  Go  ahead. 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  directs  the  Court  s 
attention  to  the  actual  General  —  or  excuse  me,  Admiral  Donegan 
memo.  The  purpose  of  the  Admiral  Donegan  memo.  Defense  Enclosure  1, 
to  its  motion,  is  Tasker  CENTCOM  Assessment  of  1st  Cav  Division 
Classification  Determination  of  the  Apache  Video.  The  entire  purpose 
of  this  memorandum  to  the  Office  of  Judge  Advocate  of  the  Army  was  to 
do  a  classification  review,  to  determine  whether  something  was 
classified  or  not.  It  wasn't  to  do  a  fact  based  analysis  of  whether 
information  was  contained.  TTP  were  or  were  not  —  did  or  did  not 
exist.  It's  whether  they  warranted  classification.  TTPs  and  other 
information  provided  in  this  memo  could  warrant  classification,  but 
it  doesn't  mean  it  factually  did  or  did  not  contain  it.  Again,  the 
purpose  of  this  memo  is  exactly  as  it  states  in  the  memo,  whether  it 
warrants  classification.  Therefore,  does  it  cause  —  could  it  cause 
damage  to  national  security,  serious  damage  or  grave  damage?  Admiral 
Donegan 's  opinion  in  this  memo.  Your  Honor,  is  it  doesn't  warrant  any 
of  those  protections,  thus  is  unclassified,  but  there  is  no  statement 


9013 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o  ^ 


here,  the  purpose  of  this  memo  isn't  to  say  whether  TTPs  existed  or 
not.  And  the  defense  would  object  likely  if  the  gov  —  if  the 
defense  —  excuse  me  —  the  United  States  would  likely  object  to  it 
if  the  defense  filed  a  motion  to  compel  production  simply  because  it 
is  their  conjecture  that  that  is  what  he  would  say.  They  have  no 
clue  that  Admiral  Donegan  would  say  that  the  video  does  or  does  not 
contain  TTPs.  It's  only  whether  it  warrants  classification.  And 
Chief  Larue's  stipulation  of  expected  testimony  simply  states  the 
fact  it  does  contain  TTPs. 

MJ:  Well,  it  goes  beyond  that.  It  says  that  the  TTPs  are  a 

puzzle  and  revealing  any  piece  could  make  solving  the  puzzle  easier 
for  an  adversary. 

TC [MAJ  FEIN]:  Yes,  ma'am.  But  according  to  at  least  that  video, 
at  that  time  on  13  October  2010,  under  Admiral  Donegan,  in  his 
opinion,  not  to  the  level  that  rises  to  warranting  classification. 

It  doesn't  mean  TTPs  doesn't  exist.  Again,  the  purpose  for  this  memo 
was  to  do  a  classification  review.  So  going  back  to  what  my  co¬ 
counsel  started  with  as  an  argument,  this  is  an  opinion  of  whether 
something's  classified  based  off  the  factors  given.  Those  factors 
are  listed. 

MJ:  So  is  your  objection  then  to  the  relevance  of  producing 

this  witness,  is  it  the  defense  hasn't  talked  to  them  and  doesn't 
know  what  the  witness  is  going  to  say  about  TTPs? 
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TC [MAJ  FEIN]:  That  would  be  the  first  one.  Your  Honor.  We'd 
want  to  hear  what  the  defense  has  to  proffer  about  the  entire  scope 
of  the  testimony.  If  it's  simply  to  ask  one  factual  question  on 
whether  it  did  or  did  not  have  TTPs  involved  in  the  video,  that's  one 

thing.  If  it's  more  than  that  - 

MJ:  All  right.  I  understand  the  government's  position. 

ATC [CPT  WHYTE]:  Ma'am,  as  far  as  the  second  fact  that  the 

defense  is  asking  this  Court  to  take  judicial  notice  of  the  FOIA 
request  it's  not  relevant  at  this  point.  There's  no  evidence  that 
PFC  Manning  had  knowledge  of  this  FOIA  request  or  CENTCOM's  alleged 
response  thereto,  so  we  would  object  on  relevance,  ma'am. 

MJ:  Okay.  And  that's  basically.  I'll  allow  you  to  come  back 

too  after  the  defense  comes  back  because  now  they're  going  to  tell  me 
what's  in  the  Prosecution  Exhibit  30  that  they  believe  is  going  to 
make  this  relevant.  Go  ahead. 

ADC [CPT  TOOMAN] :  Thank  you,  ma'am.  I  will  hand  you 

Prosecution  Exhibit  30,  as  well  as  Prosecution  Exhibit  15  which  is 
just  a  picture.  Your  Honor,  we  believe  the  government  has  put  forth 
evidence  that  would  suggest  that  PFC  Manning  was  aware  of  the  Reuters 
FOIA  request.  First  we  direct  your  attention  to  Prosecution  Exhibit 
15  which  is  a  CD. 

MJ:  That's  for  identification. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 


9015 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


MJ:  So  it ' s  not  in  evidence. 

DC [CPT  TOOMAN] :  Right.  The  government  has  talked  about  it. 

TC [MAJ  FEIN]:  Your  Honor,  15  was  admitted. 

MJ:  Oh,  it  was? 

TC [MAJ  FEIN]:  Yes,  Your  Honor. 

ADC [CPT  TOOMAN]:  The  picture  is  a  substitution,  ma'am. 

MJ:  I  see.  Okay.  Let  me  just  actually  go  ahead  and  admit  it 

then.  Both  sides  agree  Prosecution  Exhibit  15  is  admitted? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  So  you'll  see  on  Prosecution 

Exhibit  15  the  CD  titled  CZ  Engagement  Zone,  et  cetera ,  et  cetera ,  it 
also  says  Reuters  FOIA  request.  So  that  would  suggest  that  PFC 
Manning  was  aware  of  the  Reuters  FOIA  request  because  he  labeled  it 
Reuters  FOIA  request.  Additionally,  ma'am,  in  Prosecution  Exhibit 
30,  the  chat  logs,  there  are  a  number  of  references  to  this  incident 
on  Page  26  of  your  copy  and  going  into  Page  27. 

MJ:  Hold  on. 

ADC [CPT  TOOMAN]:  Starting  at  time  marker,  3:10:32  seconds  PM 

PFC  Manning  is  talking  about  this  video.  He's  talking  about  doing 
research  on  it.  He's  talking  about  the  Finkel  book. 

MJ:  You  said  it's  on  Page  26  of  mine? 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  ,  and  it  goes  into  27,  I 

believe.  Time  stamp  3:10:32. 
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MJ:  Where  does  it  talk  anything  about  a  FOIA  request? 

ADC [CPT  TOOMAN] :  He's  talking  about  the  video  specifically. 

Your  Honor.  Here  he  doesn't  reference  FOIA  explicitly,  but  he's 
talking  about  the  research  he  did  into  the  incident. 

MJ:  How  is  the  FOIA  request  —  How  does  that  tie  into  the  FOIA 

request? 

ADC [CPT  TOOMAN]:  It  suggests  that  he  was  aware  of  what 

happened  and  he  was  looking  into  it.  And  if  you  look  at  Page  33, 
again,  he  doesn't  talk  about  FOIA  request,  but  at  time  stamp  2:24:58 
AM. 

MJ:  2:24,  okay.  We  must  have  different  pages  here.  Because 

that's  on  34  of  mine. 

ADC [CPT  TOOMAN]:  I'm  sorry.  Your  Honor.  34  of  yours. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  He's  talking  about  —  Again,  he's  talking 

about  this  video.  And  then  on  Page  33  of  yours  - 

MJ:  Hold  on.  Okay.  And  I'm  sorry.  What's  the  next  one? 

ADC [CPT  TOOMAN]:  On  your  Page  33  at  2:07:41  AM,  you  see  him 

say  event  occurs  in  2007.  I  watched  video  in  2009  with  no  context. 

Do  research.  Forward  information  to  group  of  FOIA  Activists.  So 
there  he's  talking  about  freedom  of  information,  he's  talking  about 
researching  the  incident,  and  these  things  taken  in  totality  suggests 
that  PFC  Manning  was  aware  of  the  FOIA  request  by  Reuters. 
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Particularly  when  viewed  in  conjunction  with  Prosecution  Exhibit  15 
in  which  he  labels  the  CD  Reuters  FOIA  request.  So  based  on  that,  we 
think  this  is  relevant  and  we've  overcome  the  government's  objection 
because  there  is  evidence  that  suggests  PFC  Manning  was  aware  of  this 
FOIA  request. 

MJ:  All  right.  Thank  you.  Captain  Whyte. 

ATC [CPT  WHYTE] :  Could  we  have  one  second.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 
with  the  trial  counsel . ] 

MJ:  Before  you  start.  Captain  Whyte,  I  do  have  a  question  for 

you.  Your  objection  is  based  on  relevance,  initially  because  of  the 
providence  inquiry  as  originally  set  forth  by  the  defense  in  their 
brief,  and  now  you'll  be  addressing  what  has  been  raised  in  oral 
argument.  But  before  you  do  that,  the  actual  enclosures  themselves, 
the  Freedom  of  Information  Act  request  and  the  response,  does  the 
government  object  to  its  authenticity,  the  fact  that  when  these 
things  were  filed,  what  they  say? 

ATC [CPT  WHYTE]:  Your  Honor,  we  would  not  object  that  the 

defense  has  provided  the  Court  with  sources  that  pursuant  to  M.R.E. 
201  are  sufficient.  They  are  reliable. 

MJ:  Okay. 
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ATC[CPT  WHYTE]:  So,  Your  Honor,  based  on  this  new  argument 

by  the  defense,  it's  obvious  that  PFC  Manning  labeled  that  CD  FOIA 
reguest.  We  would  still  argue  it  doesn't  necessarily  prove  that  PFC 
Manning  had  knowledge  of  this  particular  request.  It  could  have  been 
any  type  of  request,  or  the  contents  of  the  request,  or  the  fact 
CENTCOM  eventually  did  respond  to  the  FOIA  request.  There's  still  no 
evidence  of  that. 

MJ:  No  evidence  that  of  what? 

ATC [CPT  WHYTE]:  That  CENTCOM  responded  to  the  request. 

Because  the  CD,  as  far  as  I  remember.  Your  Honor,  I  don't  have  it 
with  me,  but  I  think  it  said,  labeled  the  event  and  then  FOIA 
request . 

MJ:  So  if  I'm  understanding  what  you're  telling  me,  there's  no 

evidence  on  the  record  that  PFC  Manning  knew  that  CENTCOM,  whether 
CENTCOM  did  or  did  not  respond  to  a  FOIA  request. 

ATC [CPT  WHYTE]:  Correct.  Yes,  ma'am. 

MJ:  Okay.  So  is  the  government,  what's  the  government's 

position  with  respect  to  Enclosures  1  and  2,  the  fact  that  there  were 
FOIA  requests?  Or  a  FOIA  request  from  Reuters. 

ATC [CPT  WHYTE] :  As  far  as  whether  or  not  the  Court  should 

take  judicial  notice? 

MJ:  Yes. 
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ATC [CPT  WHYTE]:  We  don't  object  that  there  —  or  we  don't 

oppose  that  there  was  a  FOIA  request.  Again,  these  sources  confirm 
that  that  fact  actually  did  happen.  Again,  we  still  don't  think  it's 
relevant  for  judicial  notice.  The  defense  is  free  to  offer  this 
evidence  in  their  case. 

M J :  Well,  I  think  that's  what  —  you  said  that  the  defense  is 
free  to  offer  this  evidence  in  their  case.  So  if  the  Court  doesn't 
take  judicial  notice  of  it,  the  defense  is  going  to  require  witnesses 
to  authenticate  the  —  to  testify  about  this  and  authenticate  these 
FOIA  requests,  right? 

ATC [CPT  WHYTE]:  Yes,  ma'am,  and  the  government  will 

stipulate  that  these  FOIA  requests  actually  happened.  But  as  far  as 
evidence  that  PFC  Manning  knew  of  the  substance  of  the  FOIA  request 
and  knew  that  CENTCOM  responded,  we  don't  think  at  this  point,  Your 
Honor,  there's  really  any  evidence  out  there  that  would  support  a 
judicial  notice. 

MJ:  I  wouldn't  be  taking  judicial  notice  that  PFC  Manning  knew 

that  there  was  FOIA  requests  out  there  and  that  they  responded.  I'm 
just  taking  judicial  notice  of  the  FOIA  request  itself.  Those  links 
and  those  leaps  and  inferences,  that's  a  job  of  the  parties,  not  me. 

ATC [CPT  WHYTE]:  Yes,  ma'am. 

MJ:  So  under  those  circumstances,  I  mean  what  - 
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1  ATC [CPT  WHYTE]:  Then  we  wouldn't  object.  Your  Honor,  that 

2  those  actually  happened  and  that  the  Court  could  take  judicial  notice 

3  of  those  facts. 

4  MJ:  So  you're  not  objecting  any  more. 

5  ATC [CPT  WHYTE]:  We  still  don't  believe  that  there's  evidence 

6  out  there  to  confirm  that,  again,  PFC  Manning  knew  about  this  to 

7  establish  relevance  for  these  FOIA  requests. 

8  MJ:  So  are  you  objecting  to  relevance?  For  judicial  notice, 

9  I'm  not  going  to  take  judicial  notice  of  something  that's  not 

10  relevant.  So  talk  to  your  compatriots  there  and  tell  me  what  the 

11  government  position  is. 

12  [There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 

13  with  trial  counsel . ] 

14  ATC [CPT  WHYTE]:  Your  Honor,  we  won't  object  that  there  was  a 

15  FOIA  request  and  that  there  was  a  CENTCOM  response,  so  we  withdraw 

16  our  objection  to  that  fact. 

17  MJ:  So  the  government  is  not  objecting  to  the  Court  taking 

18  judicial  notice  of  Enclosures  1,  2,  and  3  of  the  defense  motion? 

19  ATC [CPT  WHYTE]:  That's  correct.  Your  Honor. 

20  MJ:  So  just  to  wrap  up  here  then,  remaining  at  issue  from  the 

21  defense  motions  for  judicial  notice  that  the  government  does  not 

22  object  to  the  9-11  pager  messages  and  the  government  does  not  object 

23  to  the  FOIA  requests  and  the  response.  And  the  government  does  not 
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1  object  to  the  transcript  at  Prosecution  Exhibit  15,  Enclosure  2  by 

2  the  government,  that  that's  an  accurate  transcript  of  the  video? 

3  ATC [CPT  WHYTE]:  Yes,  ma'am. 

4  MJ:  So  all  we  have  remaining  at  issue  now  is  Rear  Admiral 

5  Donegan,  right? 

6  ATC [CPT  WHYTE]:  Yes,  ma'am. 

7  MJ:  Both  sides  agree? 

8  ADC [CPT  TOOMAN] :  Yes,  ma'am. 

9  MJ:  All  right.  And  let's  move  to  —  is  there  anything  else 

10  that  we  need  to  address  with  respect  to  the  defense  requests  for 

11  judicial  notice? 

12  ADC [CPT  TOOMAN]:  No,  Your  Honor. 

13  ATC [CPT  WHYTE]:  No,  ma'am. 

14  MJ:  And  I'm  not  going  to  hear  any  more  about  providence  inquiry 

15  statements  made  as  evidence,  right? 

16  ADC [CPT  TOOMAN]:  Yes,  ma'am.  No,  ma'am. 

17  MJ:  That  was  a  double  negative  question,  so  let  me  —  I  will  be 

18  hearing  no  further  evidence,  is  that  correct? 

19  ADC [CPT  TOOMAN]:  That  is  correct.  Your  Honor. 

20  MJ:  All  right.  Let's  move  on  to  the  prosecution  request  for 

21  judicial  notice. 

22  ATC [CPT  WHYTE]:  Yes,  ma'am.  The  United  States  requests  that 

23  this  Court  take  judicial  notice  of  several  facts.  It  may  be  helpful 
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1  to  break  them  up  as  we  did  in  our  motion.  First  of  all,  the 

2  WikiLeaks  releases.  Your  Honor,  we  request  that  the  Court  take 

3  judicial  notice  of  the  five  releases  by  WikiLeaks.  The  government  — 

4  The  defense  opposed  alleging  that  we  haven't  established  relevance. 

5  We  completely  oppose  that  obviously  under  401  —  M.R.E.  401,  this 

6  evidence  is  relevant.  Not  only  to  establish  that  or  as  evidence  to 

7  show  that  these  documents  or  the  video  were  closely  held  at  the  time 

8  prior  to  the  releases,  but  also  for  most  of  the  offenses  for 

9  Specification  1  of  Charge  II,  PFC  Manning  is  charged  with  causing 

10  intelligence  to  be  published  on  the  Internet.  The  fact  that 

11  WikiLeaks  released  these  five  sets  of  documents  or  media  is  relevant 

12  to  not  only  the  closely  held  element  of  the  793  offenses,  but  also  to 

13  the  Spec  1  of  Charge  II. 

14  MJ:  If  it  is  relevant  to  those  specifications.  Specification  1 

15  of  Charge  II,  what  other  specifications  do  you  —  this  first  grouping 

16  of  five,  in  addition  to  793(e)  specifications,  what  else  is  the 

17  government  claiming  they're  relevant  to? 

18  ATC [CPT  WHYTE]:  It's  also  relevant  to  the  641  offenses, 

19  ma'am.  PFC  Manning  is  charged  with  stealing,  purloining,  or 

20  knowingly  converting  these  documents  or  this  video  and  the  fact  that 

21  WikiLeaks  released  it  later  is  evidence  to  show  that  under  the  M.R.E. 

22  401  standard  that  PFC  Manning  compromised  those  videos  in  the 

23  timeframe  alleged. 
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1  MJ:  Why  isn't  any  of  that  in  your  brief?  The  brief  relies 

2  solely  on  793(e)  offenses  for  relevance. 

3  ATC [CPT  WHYTE]:  Yes,  ma'am.  And  we  think  for  the  - 

4  MJ:  I  understand  that.  Why  isn't  —  I'm  suddenly,  once  again, 

5  at  oral  argument  now  having  entirely  new  theories  from  both  sides  on 

6  why  I  should  take  judicial  notice  of  things.  Why  is  that? 

7  ATC[CPT  WHYTE]:  I  have  no  excuse.  Your  Honor. 

8  MJ:  All  right.  Well,  let's  capture  here  in  oral  argument  now, 

9  so  we've  got,  are  you  basically  arguing  to  me  that  - 

10  ATC[CPT  WHYTE]:  Yes,  ma'am.  The  fact  that  they  were 

11  released  subsequent  to  the  timeframe  that  PFC  Manning  is  charged  with 

12  releasing  the  information  or  compromising,  that  that  is  evidence  to 

13  show  that,  I  mean,  that's  evidence  shows  more  likely  than  not  that 

14  PFC  Manning  did  compromise  the  information  during  the  alleged 

15  timeframe. 

16  MJ:  So  with  respect  to  each  of  these  pieces,  the  video,  the 

17  combined  information,  the  CIDNE  databases  Iraq  and  Afghanistan,  and 

18  the  Joint  Task  Force  GTMO  and  the  Army  Counter  Intelligence  Center 

19  reports  are  all  relevant  to  the  641  offenses  and  the  various 

20  specifications  that  charge  those  data  sets? 

21  ATC [CPT  WHYTE]:  Yes,  ma'am. 

22  MJ:  Okay.  What  else,  641,  793(e)  as  you've  alleged,  what  else? 

23 
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1  ATC [CPT  WHYTE]:  Yes,  ma'am.  Again,  it  was  not  alleged  in 

2  the  brief.  Specification  1  of  Charge  II,  the  element  that  PFC  Manning 

3  caused  intelligence  to  be  published  on  the  Internet.  The  fact  that 

4  the  information  was  published  on  the  Internet  is  definitely  relevant 

5  to  that  element. 

6  MJ:  Any  other  offense? 

7  ATC [CPT  WHYTE]:  No,  Your  Honor. 

8  MJ:  So  the  relevance  then  for  this  first  group  of  sets,  A 

9  through  E,  WikiLeaks  releases  goes  to  Specification  1  of  Charge  II, 


10 

and  then  the 

641  and 

793(e)  respective 

specifications . 

11 

ATC [CPT 

WHYTE] : 

Yes,  ma'am. 

12 

MJ:  And  that's 

it? 

13 

ATC [CPT 

WHYTE] : 

Yes,  ma'am. 

The  next  set  of  facts,  Your 

14  Honor,  the  salary  of  Servicemembers  and  government  employees.  The 

15  Court  has  heard  evidence  through  testimony  and  through  a  stipulation 

16  of  expected  testimony  that  the  documents,  the  detainee  assessments  as 

17  well  as  the  global  address  list,  they  were  prepared  and  maintained  by 

18  persons  at  these  ranks,  ranks  on  the  GS  scale,  so  as  far  as  the  value 

19  of  this  information,  the  value  of  producing  this  information  is 

20  definitely  relevant. 

21  MJ:  So  for  those  then  you're  - 

22  ATC [CPT  WHYTE]:  It's  the  641  offenses,  ma'am.  The 

23  Specification  8  and  16.  The  salary  of  Servicemembers  at  the  grade  of 
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1  E4,  that's  relevant  to  Specification  8  and  16.  There's  a  stipulation 

2  of  expected  testimony  from  Mr.  Jeffrey  Motes  that  confirm  that 

3  Soldiers  at  this  rank  helped  create  these  detainee  assessments  and 

4  that's  at  Prosecution  Exhibit  131.  And  you  also.  Your  Honor,  there 

5  was  testimony  from  Chief  Rouillard  that  Servicemembers  at  the  rank  of 

6  E4,  Specialist,  were  part  of  the  maintaining  and  producing  the  global 

7  address  list,  which  is  relevant  for  the  valuation  of  those  databases. 

8  And  Your  Honor,  same  thing  with  the  government  employees,  the  GS-12 

9  scale,  GS-12  level.  This  is  actually  only  relevant  to  Specification 

10  8  of  Charge  II.  Again,  in  Prosecution  Exhibit  131  the  stipulation  of 

11  expected  testimony  from  Mr.  Motes,  the  evidence  is  before  the  Court 

12  that  government  employees  at  the  GS-12  rank  helped  create  the 

13  detainee  assessments. 

14  Your  Honor,  moving  to  the  next  set  of  facts  in  subparagraph 

15  hotel,  we're  asking  the  Court  to  take  judicial  notice  of  select 

16  paragraphs  in  Army  Regulation  25-1. 

17  MJ:  What's  the  relevance  of  that  if  PFC  Manning  is  not  charged 

18  with  that? 

19  ATC [CPT  WHYTE]:  Yes,  ma'am.  It  goes  to  Specification  4  of 

20  Charge  III  where  the  accused  is  charged  with  using  an  information 

21  system  in  a  manner  other  than  its  intended  purpose.  This  regulation 

22  discusses  what  are  some  of  the  authorized  and  unauthorized  purposes 

23  of  information  systems,  so  we  think  this  would  benefit  the  Court  by 
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1  reading  this  in  conjunction  with  25-2,  the  paragraphs  that  have 

2  already  been  taken  judicial  notice  of  to  assist  the  Court  in 

3  determining  whether  or  not  PFC  Manning  used  an  information  system  in 

4  a  manner  other  than  its  intended  purpose.  And,  Your  Honor,  these 

5  facts  for  AR  25-1,  and  again,  Your  Honor,  I'm  also  including  the 

6  definition  of  information  system  which  is  an  Army  Regulation  25-2 

7  which  was  put  in  the  government's  corrected  copy,  those  are  also 

8  relevant  to  Specification  16  of  Charge  II  where  the  accused  is 

9  charged  with  stealing,  purloining  or  knowingly  converting  the  global 

10  address  list.  Again,  these  portions  of  the  regulation  discuss 

11  information  owned  by  the  United  States  government  and  generally  why 

12  we  don't  just  release  it.  So  it's  relevant  to  that  641  offense  as 

13  well.  Your  Honor.  And  then,  Your  Honor,  lastly,  what's  termed  as  the 

14  miscellaneous  adjudicated  facts.  The  defense  - 

15  MJ:  Wait  a  minute.  What  about  the  privacy  program? 

16  ATC [CPT  WHYTE]:  Oh,  Your  Honor,  I'm  sorry.  Your  Honor.  Same 

17  reasons  as  the  Army  regulations.  This  document  talks  about  the 

18  government's  policy  to  protect  PII  type  information  and  that  it  is  a 

19  thing  of  value  and  that  it  also  is  owned  by  the  United  States 

20  government,  so  we  would  argue  that  it  goes  to  Specification  4  of 

21  Charge  III  as  well  as  Specification  16  of  Charge  II.  The  same 

22  reasons  as  outlined  in  the  Army  Regulation  25-1  and  25-2. 

23  MJ:  Okay. 
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1  ATC [CPT  WHYTE]:  Your  Honor,  lastly  the  - 

2  MJ:  So,  Thanksgiving  is  not  objected  to? 

3  ADC [CPT  TOOMAN] :  No,  ma'am. 

4  ATC [CPT  WHYTE]:  So  I  guess  we’re  only  left  with 

5  Subparagraph  Kilo,  Lima  and  Mike.  Your  Honor,  we  argue  that  these 

6  facts,  which  are  actually  evident  in  Prosecution  Exhibit  - 

7  MJ:  Well,  let's  —  let's  —  Mike  is  completely  different  from 

8  Kilo  and  Lima,  so  let’s  go  to  Kilo  and  Lima. 

9  ATC [CPT  WHYTE]:  Yes,  ma’am.  Kilo,  the  term  ".is"  is  the  top 

10  level  Internet  domain  of  Iceland. 

11  MJ:  Okay.  How  is  that  relevant? 

12  ATC [CPT  WHYTE] : Your  Honor,  the  accused  in  his  chats  with  Mr. 

13  Julian  Assange  specifically  reference  this  term. 

14  MJ:  Can  you  show  me  that?  And  that  would  be  Prosecution 

15  Exhibit  what? 

16  ATC [CPT  WHYTE]:  123,  Your  Honor. 

17  MJ:  May  I  see  Prosecution  Exhibit  123? 

18  ATC [CPT  WHYTE]:  It’s  on  Page  5,  Your  Honor. 

19  MJ:  Okay.  Let  me  get  the  exhibit  then. 

20  ATC [CPT  WHYTE]:  Yes,  ma’am. 

21  MJ:  All  right.  I’m  looking  at  Prosecution  Exhibit  123  at  Page 

22  5. 

23  ATC [CPT  WHYTE]:  Yes,  ma’am.  At  time  6:19:16. 
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1  MJ:  Okay. 

2  ATC [CPT  WHYTE]:  Then,  Your  Honor,  so  we  think  that  defining 

3  what  this  actually  means  helps  with  the  Court  to  understand  this 

4  prosecution  exhibit.  Also,  Your  Honor,  Paragraph  Lima  we  identify 

5  four  individuals  and  we're  asking  the  Court  to  take  judicial  notice 

6  of  their  positions  in  the  Icelandic  government. 

7  MJ:  How  is  that  relevant? 

8  ATC [CPT  WHYTE]:  Again,  Your  Honor,  the  accused  in  the  — 

9  with  the  first  three  people.  Your  Honor,  in  Prosecution  Exhibit  29 

10  which  is  the  volumes.txt  document,  these  people's  last  —  the  files 

11  of  these  people's  names  is  actually  included  in  there.  So,  again,  we 

12  think  it  would  be  helpful  - 

13  MJ:  May  I  see  that  exhibit,  please?  Is  that  a  classified 

14  exhibit? 

15  ATC [CPT  WHYTE]:  It  is  not,  ma'am. 

16  MJ:  Okay.  All  right.  I  see  what  you're  talking  about.  All 

17  right . 

18  ATC [CPT  WHYTE]:  Then,  Your  Honor,  the  fourth  person  - 

19  MJ:  Hold  on  just  a  minute.  Is  this  —  Has  Prosecution  Exhibit 

20  39  been  admitted? 

21  ATC [CPT  MORROW]:  Ma'am,  the  admitted  version  of  that 

22  screenshot  is  Prosecution  Exhibit  127.  It's  the  same  information. 

23  MJ:  Why  is  it  marked  as  an  exhibit  twice? 
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1  ATC [CPT  MORROW]:  For  the  opening  statement,  ma'am,  we  marked 

2  it  as  an  exhibit  for  display,  and  then  that  same  information  was  — 

3  we  put  line  numbers  on  it,  so  that's  Line  7  so  we  can  refer  to  it 

4  during  testimony  so  that  changes  sort  of  the  length  - 

5  MJ:  127.  All  right.  Do  both  sides  agree  that  Prosecution 

6  Exhibit  127  that's  admitted  is  the  same  as  Prosecution  Exhibit  39  for 

7  Identification  with  respect  —  except  with  respect  to  the  line 

8  numbers? 

9  ADC [CPT  TOOMAN] :  Yes,  ma’am. 

10  MJ:  So  let's  talk  about  Prosecution  Exhibit  127  the  one  that's 

11  been  admitted.  Okay.  I  see  the  three  names  are  there.  Okay.  I'm 

12  sorry.  Once  again,  may  I  see  Prosecution  Exhibit  39  again?  Counsel, 

13  I'm  a  little  confused.  Both  sides  have  agreed  that  these  two 

14  exhibits  are  the  same,  but  they're  not  in  the  same  order,  so  I  guess 

15  I'm  confused.  If  you  look  at  the  names  you'll  see  that. 

16  TC [MAJ  FEIN]:  Your  Honor,  I'm  holding  Prosecution  Exhibit  39 

17  for  Identification  and  Prosecution  Exhibit  127.  The  Court  heard 

18  testimony  from  Mr.  Mark  Johnson  that  when  he  was  presented 

19  Prosecution  Exhibit  127  he  explained  that  there  were  line  numbers 

20  from  the  document  he  created.  This  document  is  in  alphabetical 

21  order,  or  if  there's  a  number,  it's  number  order.  The  information  is 

22  identical,  it's  just  the  order  in  which  it  falls  is  different. 
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1  MJ:  Okay.  Thank  you.  All  right.  Anything  further  with  K  and 

2  L? 

3  ATC [CPT  WHYTE]:  Yes,  ma'am.  The  last  person  in  Paragraph  L, 

4  that  person  is  not  in  Prosecution  Exhibit  127,  but  that  person  is 

5  identified  by  the  accused  in  the  Intelink  charts,  the  summary,  that's 

6  a  classified  prosecution  exhibit,  but  this  person  was  a  search  term 

7  used  by  the  accused.  And,  Your  Honor,  I  can  give  you  the  line 

8  number,  it  is  a  classified  exhibit,  I  can  give  you  the  line  number 

9  that  specifically  references  this  person. 

10  MJ:  Which  exhibit  and  which  line? 

11  ATC [CPT  WHYTE]:  It's  going  to  be  Prosecution  Exhibit  49, 

12  and,  ma'am,  it's  line  number  578  through  581. 

13  MJ:  All  right. 

14  ATC [CPT  WHYTE]:  Sorry,  Your  Honor.  It's  actually 

15  Prosecution  Exhibit  81. 

16  MJ:  So  it's  not  49,  it's  81? 

17  ATC [CPT  WHYTE]:  Yes,  ma'am.  Sorry. 

18  MJ:  I  think  you  might  want  to  send  someone  out  with  your  person 

19  who  was  going  to  retrieve  Prosecution  Exhibit  49.  All  right.  Let's 

20  move  on  to  M. 

21  ATC [CPT  WHYTE]:  Yes,  ma'am. 

22  MJ:  I  have  a  question  about  M.  Your  exhibit  here,  your 

23  Enclosure  13  is  basically  acronyms  for  PE  30  with  time,  page,  context 
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1  and  translation.  How  do  I  have  any  idea  based  on  what  you've 

2  presented  that  this  is  an  adjudicative  fact  that  can  be  found  —  that 

3  I  can  find  for  judicial  notice? 

4  ATC [CPT  WHYTE]:  Your  Honor,  we  would  argue  that  this  is  a 

5  commonly  —  commonly  used  acronyms  for  people  that  do  engage  in 

6  Internet  chat  with  other  people,  and  these  are  just  commonly  used 

7  terms  in  Internet  chat  communications . 


8 

MJ:  Defense,  do 

you  stipulate  to  that? 

9 

ADC [CPT  TOOMAN] : 

No,  ma'am. 

10 

MJ:  How  would  I 

have  any  idea  based  on  this  that  that's  true? 

11 

ATC [CPT  WHYTE] : 

One  second,  please. 

12  [There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 

13  with  the  trial  counsel . ] 

14  ATC [CPT  WHYTE]:  Ma'am,  this  information  was  compiled  from 

15  multiple  resources  that  we  can  provide  the  Court. 

16  MJ:  If  you  want  judicial  notice  of  M,  I  highly  suggest  you  do 

17  that . 

18  ATC [CPT  WHYTE]:  I  will,  yes,  ma'am.  I'll  do  that.  Ma'am, 

19  no  further  questions? 

20  MJ:  No.  I  think  I've  asked  them.  Thank  you. 

21  ATC [CPT  WHYTE]:  Yes,  ma'am. 

22  TC [MAJ  FEIN]:  Ma'am,  just  to  correct  one  thing  that 

23  unfortunately  Captain  Whyte  said  earlier,  although  the  United  States 
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1  did  in  its  theory  of  relevance  not  put  in  for  the  first  category  of 

2  WikiLeaks  releases  Specification  1  of  Charge  II,  all  of  the  641s  were 

3  briefed  in  here  along  with  the  793  offenses.  So  on  Page  3,  and  Page 

4  4  . 

5  MJ:  All  right.  So  then  the  only  one  that's  added  then  is 

6  Specification  1  of  Charge  II? 

7  TC [MAJ  FEIN]:  Yes,  ma'am.  That  was  not  briefed  and  should  have 

8  been. 

9  MJ:  Okay.  Captain  Tooman.  Before  you  begin,  let  me  ask  you  a 

10  question. 

11  ADC [CPT  TOOMAN]:  Yes,  ma'am. 

12  MJ:  Your  objections  to  all  of  these  are  relevance.  Do  you  have 

13  any  objection  —  should  I  find  them  relevant,  is  there  any  objection 

14  to  these  being  adjudicative  facts? 

15  ADC [CPT  TOOMAN]:  Well,  I  guess  the  one  we  just  talked  about, 

16  exhibit - 

17  MJ:  That  one  aside. 

18  ADC [CPT  TOOMAN]:  That  one  aside,  no,  ma'am. 

19  MJ:  Okay. 

20  ADC [CPT  TOOMAN]:  So  we'll  start  with  the  —  I  guess  that 

21  first  group  of  five.  Alpha  through  Echo. 

22  MJ:  Okay. 
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1  ADC [CPT  TOOMAN]:  I  guess  the  first  point  we  would  make  is  the 

2  actions  of  WikiLeaks  are  independent  from  the  actions  of  PFC  Manning. 

3  MJ:  Well,  with  respect  to  Specification  1  of  Charge  XX,  isn't 

4  one  of  the  elements  that  they  have  to  be  —  that  PFC  Manning  caused 

5  to  be  published;  the  fact  that  they  are  published  would  go  towards 

6  that  offense? 

7  ADC [CPT  TOOMAN]:  Yes,  but  we  would  —  Can  I  have  a  moment, 

8  Your  Honor? 

9  MJ:  Yes. 

10  [There  was  a  brief  pause  while  the  assistant  defense  counsel 

11  consulted  with  the  civilian  defense  counsel . ] 

12  ADC [CPT  TOOMAN]:  Again,  Your  Honor,  we  would  just  —  we  would 

13  —  our  position  would  be  that  that's  an  intervening  cause.  What's 

14  relevant  here  is  what  PFC  Manning  did.  PFC  Manning,  if  he  gave  it  to 

15  WikiLeaks,  that's  what  the  government  would  need  to  prove.  Again,  I 

16  guess  this  would  go  back  to  our  argument  on  Spec  1  of  Charge  I,  where 

17  we  didn't  believe  that  the  government  had  to  prove  actual  receipt  by 

18  the  enemy.  We  would  have  a  similar  position  here. 

19  MJ:  All  right.  I  understand  your  position. 

20  ADC [CPT  TOOMAN]:  In  addition,  we  don't  believe  it's  relevant 

21  at  all  to  the  793s.  Again,  the  actions  of  WikiLeaks  don't  impact 

22  whether  or  not  a  piece  of  information  is  closely  held.  The 

23  government's  offered  no  —  there's  no  evidence  before  this  Court  that 
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1  WikiLeaks  only  publishes  things  that  are  closely  held.  There's  no 

2  evidence  before  this  Court  that  WikiLeaks  understands  the  definition 

3  employed  by  the  United  States  government  with  respect  to  closely  held 

4  and  then  employs  that  in  their  publishing  decisions. 

5  MJ:  Wouldn't  an  organization  by  the  name  of  WikiLeaks  lead  to 

6  the  inference  that  it  is  publishing  leaks? 

7  ADC [CPT  TOOMAN] :  That  could  be  an  inference.  Your  Honor,  but 

8  an  inference  wouldn't  be  proper  for  judicial  notice.  So  if  the 

9  government  wanted  you  to  draw  that  inference,  they  could  certainly 

10  welcome - 

11  MJ:  No,  no,  no.  I  agree  we're  talking  relevance  now  is  your 

12  objection.  You're  saying  it's  not  relevant  because  WikiLeaks  there's 

13  —  no  evidence  before  the  Court  that  WikiLeaks  only  publishes  leaks 

14  and  whether  they  know  of  a  technical  definition  of  closely  held.  You 

15  know,  relevance  doesn't  mean  it  has  to  prove  everything,  it  just 

16  means  it  has  to  be  a  piece  of  the  pie. 

17  ADC [CPT  TOOMAN]:  Sure.  Our  position  would  be  that  closely 

18  held  is  a  term  of  art  and  - 

19  MJ:  No,  I  agree. 

20  ADC [CPT  TOOMAN]:  And  WikiLeaks  would  have  to  —  for  their 

21  actions  to  be  relevant,  they  would  have  to  understand  that.  The  fact 

22  that  they  did  it,  they  could  publish  anything.  They  publish  I  would 

23  imagine  lots  of  things  that  wouldn't  meet  the  definition  of  closely 
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held.  And  so  the  fact,  the  mere  publishing  of  it  doesn't  make  it 
more  likely  than  not  that  this  particular  piece  of  information  or 
that  particular  piece  of  information  was  closely  held.  Closely  held 
is  something  that  is  determined  by  the  government. 

MJ:  Okay.  Well,  it  will  be  determined  by  me  in  this  case,  but 

okay. 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  Or  the  actions  of  the 

government  and  the  way  the  government  comports  themselves  with 
respect  to  certain  information  is  how  we  figure  out  whether  or  not, 
and  you  will  figure  out  whether  or  not  something  is  closely  held,  not 
by  what  WikiLeaks  does  or  doesn't  do  with  it.  And  with  respect  to 
the  641s,  Your  Honor,  it's  our  belief  this  isn't  going  to  help  you 
determine  whether  or  not  these  things  have  value  at  all.  And  we 
don't  believe  the  governments  articulated  how  it  would  help  you 
determine  value.  And  the  government  has  to  prove  that  these  were 
worth  more  than  a  thousand  dollars,  and  the  fact  that  WikiLeaks 
published  it  doesn't  help  you  assign  any  dollar  value. 

MJ:  Doesn't  the  fact  that  WikiLeaks  has  the  information,  the 

fact  that  they  published  it  means  that  they  necessarily  have  it, 
isn't  that  relevant  to  show  that  PFC  Manning  stole  it? 

ADC [CPT  TOOMAN]:  Not  necessarily.  Your  Honor.  There's  no 

evidence  before  this  Court  that  the  government's  been  denied  their 
use  of  this  information,  and  that's  been  a  theme  throughout  the 
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1  witness  testimony  is  that  the  government's  always  had  the  information 

2  and  so  - 

3  MJ:  Does  that  —  In  the  legal  theory  the  defense  is  going  to 

4  have  down  the  road  is  that  that's  a  requirement  for  a  641  offense? 

5  ADC [CPT  TOOMAN] :  We  think  that  you  would  have  to  show  some 

6  interference  with  the  charged  thing,  and  that,  the  fact  that 

7  WikiLeaks  has  posted  it  doesn't  demonstrate  any  interference. 

8  MJ:  All  right. 

9  ADC [CPT  TOOMAN]:  With  respect  to  F  and  G,  Your  Honor,  again, 

10  we  would  object  based  on  relevance.  Based  on  what  this  request  is 

11  calling  for  the  Court  to  do  is  draw  inferences.  We've  heard  some 

12  testimony  that  some  people  worked  on  this,  this  was  their  rank,  but 

13  we  didn't  hear  any  testimony  about  how  much  time  they  were  actually 

14  spending  on  it  or  how  much  time  they  were  spending  on  this  with 

15  relation  to  other  things.  You  heard  some  general  testimony  that, 

16  yeah,  generally  we've  got  E4s  working  on  this  or  Mr.  Motes  is  a  GS- 

17  12,  but  you  don't  have  any  testimony  as  to  how  much  time  they  were 

18  actually  dedicating  to  these  things.  And  so  what  the  government's 

19  asking  you  to  do  is  infer  and  extrapolate  yourself  the  value  of  these 

20  things,  and  that's  the  government's  burden  is  to  show  you  the  value 

21  of  these  things. 

22  MJ:  Even  if  that's  true,  your  objection  here  is  that  this,  the 

23  salary  of  an  E4  and  base  salary  of  government  employees  is  not 
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relevant.  Understanding  that  the  government  would  —  The 
government's  position  would  be  that  people  worked  a  certain  amount  of 
hours,  therefore  times  whatever  this  salary  range  is  equals  X  amount 
of  value.  Why  would  the  salary  range  not  be  relevant? 

ADC [CPT  TOOMAN] :  We  think  that  this  is  testimony  that  should 

be  brought  out  through  the  witness. 

MJ:  Why?  I  mean  this  is  one  of  these  —  you've  already  told  me 

you're  not  objecting  to  the  adjudicative  fact.  This  is  what  the 
salary  of  an  E4  is.  I  mean  is  that  debatable? 

ADC [CPT  TOOMAN]:  No,  it's  not,  Your  Honor. 

MJ:  That's  what  I'm  taking  judicial  notice  of,  I'm  not  —  I 

would  not  be  taking  judicial  notice  of  any  inferences  to  be  drawn  by 
this  just  that  it  exists  and  that's  what  the  salary  level  of  an  E4  is 
in  X  period  of  time. 

ADC [CPT  TOOMAN]:  Okay.  That's  —  I  think  —  May  I  have  a 

moment.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  defense  counsel 
consulted  with  the  civilian  defense  counsel . ] 

ADC [CPT  TOOMAN]:  Your  Honor,  I  guess  the  other  piece  of  the 

relevance  would  be  the  I  guess  tying  —  we  would  agree  that  in  2004 
or  whatever  year  an  E4  made  X  amount  of  dollars,  but  it's  tying  that 
value  with  what  those  people  actually  did  at  that  time  and  we  don't 
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think  that  this  is  relevant  for  that.  That's  what's  important  for 
the  Court. 

MJ:  I  understand  the  defense's  position. 

ADC [CPT  TOOMAN] :  So  with  H  and  I,  again.  Your  Honor,  we  don't 

think  either  of  these  assist  the  Court  in  making  any  determination  as 
to  the  value.  Again,  PFC  Manning  is  charged  with  stealing, 
purloining  or  converting  things  worth  more  than  a  thousand  dollars. 
These  definitions  for  which  the  government  has  requested  judicial 
notice  don't  assist  you  in  assessing  a  dollar  value  to  the 
information.  With  respect  to  - 

MJ:  Well,  the  government's  relying  on  Specification  4  of  Charge 

II,  and  Specification  16  of  Charge  II  for  those  —  for  H  and  I. 

Right? 

ATC [CPT  WHYTE]:  It's  Specification  4  of  Charge  III,  Your 

Honor. 

MJ:  Oh,  I'm  sorry.  Specification  4  of  Charge  III  and 

Specification  16  of  Charge  II.  So  what  is  the  defense  position  for 
that  it's  not  relevant  to  those  specifications?  I  don't  think 
they're  arguing  that  it's  doing  anything  about  value. 

ADC [CPT  TOOMAN]:  Can  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  assistant  defense  counsel 
consulted  with  the  civilian  defense  counsel . ] 
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ADC [CPT  TOOMAN] :  Your  Honor,  Specification  16  does  —  is  a 

641  offense. 

MJ:  It  would  be  a  thing  of  value,  not  the  value  itself.  Is 

that  what  you're  arguing?  It's  not  relevant  to  show  that  it's  a 
thing  of  value? 

ADC [CPT  TOOMAN]:  Right.  We  don't  think  that  it  is.  Again, 

we  think  that  that  would  call  for  the  Court  to  make  an  inference  from 
the  definition  that  it  is  a  thing  of  value.  It  doesn't  say  an 
information  system  is  a  thing  of  value.  That's  an  inference. 

MJ:  Isn't  that  the  purpose  of  relevant  evidence,  to  have  the 

court  draw  inferences  from  the  evidence? 

ADC [CPT  TOOMAN]:  Yes.  But  here  we  don't  think  this  is  proper 

for  judicial  notice  because  the  definition  doesn't  help. 

MJ:  That's  where  I'm  having  trouble  with  your  argument.  The 

judicial  notice  is  basically  this  is  what  it  is.  It's  an 
adjudicative  fact  that  AR  25-2  says  X.  What  inferences  the  Court 
draws  from  that  depends  on  what  other  evidence  is  presented,  how  the 
parties  argue  their  case,  et  cetera.  So  I'm  confused  a  little  bit. 
The  judicial  notice  —  Is  your  argument  to  me  that  this  evidence  is 
not  relevant  in  any  way  coupled  with  other  things  for  the  government 
to  make  an  argument  that  the  Court  should  draw  whatever  inference 
it's  trying  to  do  with  respect  to  those  specifications? 
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ADC [CPT  TOOMAN] :  Certainly  with  regard  to  AR  25-1  we  would 

say  PFC  Manning  is  not  charged  with  AR  25-1  and  so  nothing  from  AR 
25-1  is  relevant,  and  with  respect  to  the  definition  from  AR  25-2 
which  was  originally  offered  to  the  Court  under  AR  25-1,  those  are 
different  definitions.  So,  we  would  - 

MJ:  There's  two  different  definitions.  There's  different 

definitions  of  information  systems  in  25-1  and  25-2? 

ADC [CPT  TOOMAN]:  Yes,  ma'am.  As  well  as  in  other  Army  AR  25- 

400-2  has  a  definition  that's  different.  So  then  we  would  say  the 
probative  value,  the  Army  doesn't  seem  to  be  able  to  get  on  the  same 
page  as  to  what  an  information  system  is,  and  so  we  would  then  say 
the  probative  value  of  this  particular  definition  is  not  very  high 
for  the  Court. 

MJ:  All  right.  So  when  we  recess  the  court,  then  the  defense 

will  be  getting  me  the  definitions  of  information  system  in  these 
other  various  regulations. 

ADC [CPT  TOOMAN]:  I  believe  you  have  25-1,  we'll  be  happy  to 

get  you  another  copy,  but  that  was  the  attachment  to  the  original 
government  —  just  so  I  make  sure  we  get  you  the  right  thing. 

MJ:  That's  all  right.  If  I  have  it,  I  don't  need  another  one. 

ADC [CPT  TOOMAN]:  Okay. 

MJ:  Which  enclosure  is  it,  do  you  remember? 

ATC [CPT  WHYTE]:  It's  Enclosure  8,  ma'am. 
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MJ:  And  where  in  Enclosure  8  does  it  define  information  systems 

just  so  I  can  double-check  it? 

ATC [CPT  WHYTE]:  In  Enclosure  8,  ma'am,  the  definition  of 

information  system  is  the  last  page  of  Enclosure  8m  in  the  Glossary 
section  of  that  Reg. 

ADC [CPT  TOOMAN] :  Which  would  be  - 

MJ:  Page  what?  I  see.  Okay. 

ADC [CPT  TOOMAN]:  Ma'am,  I  can  give  you  a  copy  of  25-1? 

MJ:  I  have  it. 


ADC [CPT  TOOMAN]:  You  have  it.  Okay. 

MJ:  All  right.  I  see  what  you're  talking  about.  But  I  would 

appreciate  the  - 

ADC [CPT  TOOMAN]:  AR  25  - 

MJ:  25-400-2.  I  don't  need  the  whole  regulation.  Just  the 

definition  of  - 


ADC [CPT  TOOMAN]:  Yes,  ma'am.  We'll  just  give  you  the 

definition.  Moving  on  to  K  and  L,  again,  we  don't  believe  the  domain 
of  Iceland  is  relevant.  It  doesn't  make  anything  more  or  less 
likely. 

MJ:  Well,  in  the  chat  exhibit,  it  was  what  Prosecution  Exhibit 

30,  I'm  sorry.  Prosecution  Exhibit  123.  If  they  actually  used  the 
term  .IS,  wouldn't  it  be  helpful  for  the  Court  to  know  what  it  was? 
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1  ADC [CPT  TOOMAN] :  If  you  tell  us  it  is.  Your  Honor,  then  I 

2  guess  it  would  be.  I  think  we  would  agree  it  is  what  it  is,  but  we 

3  don't  think  it  makes  a  fact  more  likely  than  not. 

4  MJ:  Okay. 

5  ADC [CPT  TOOMAN]:  I  guess  with  respect  to  Specification  1  of 

6  Charge  III,  which  is,  I  believe  what  the  government  cited,  it  doesn't 

7  —  the  fact  that  that  is  - 

8  MJ:  Well,  as  I  understand  what  the  government  is  offering  these 

9  things  for  is  to  explain  to  the  Court  when  they  look  at  the  exhibit 

10  what  it  is.  Otherwise,  how  would  the  Court  know? 

11  ADC [CPT  TOOMAN]:  Sure.  Understood,  Your  Honor. 

12  MJ:  Do  you  disagree  with  that,  that  that's  not  - 

13  ADC [CPT  TOOMAN]:  If  that  is  what  the  government  is  offering 

14  it  for,  then  we  would  agree  that  it  is,  for  the  purpose  of  helping 

15  the  Court  understand  the  chat,  that  IS  means  Iceland,  we  would  agree 

16  with  that. 

17  MJ:  And  the  same  thing  for  L,  the  four  individuals? 

18  ADC [CPT  TOOMAN]:  We  don't  —  We  just  don't  believe  —  That  we 

19  would  say  isn't  relevant.  Who  these  people  are  doesn't  —  it  just 

20  isn't  relevant  to  whether  or  not  PFC  Manning  gave  this  information  to 

21  WikiLeaks. 

22  MJ:  Okay. 
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ADC [CPT  TOOMAN] :  We  would  say  that's  true  for  K  as  well, 

".is",  but  we  would  agree  that  it  is  the  domain  for  Iceland.  But  it 
doesn't  make  it  any  more  or  less  likely  that  PFC  Manning  gave  these 
things  to  WikiLeaks  or  any  other  unauthorized  person.  It  doesn't 
make  it  any  more  or  less  likely  that  they  have  value.  It  doesn't 
make  any  more  or  less  to  his  state  of  mind  or  intent.  Our  position 
is  it's  just  not  relevant. 

MJ:  Okay. 

ADC [CPT  TOOMAN]:  And  I  believe  we've  already  discussed  M, 

Your  Honor. 

MJ:  All  right.  M  we  will  probably  have,  should  the  government 

get  anything  further  to  the  Court,  M  will  have  to  be  further 
addressed. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  All  right.  Thank  you.  Anything  else  from  the  government? 

ATC [CPT  WHYTE]:  No,  ma'am. 

MJ:  All  right.  Is  there  anything  else  we  need  to  address  today? 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  All  right.  The  Court  will  take  this  issue  under 

advisement.  The  Court  still  understands  we  owe  you  or  I  owe  you  a 
ruling  on  the  other  evidentiary  issue  that  is  outstanding  and  you'll 
have  that  one  as  well.  That  was  Prosecution  Exhibits  31,  32,  and 
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1  109,  the  admissibility  of  those.  And  if  I'm  correct  we're  going  to 

2  be  proceeding  with  the  taking  of  evidence  tomorrow  at  0930? 

3  TC [MAJ  FEIN]:  Yes,  ma'am. 

4  CDC [MR .  COOMBS]:  Yes,  Your  Honor. 

5  MJ:  Court  is  in  recess  until  tomorrow  at  0930. 

6  [The  court-martial  recessed  at  1258,  25  June  2013.] 

7  [END  OF  PAGE] 
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[The  court-martial  was  called  to  order  at  0809,  26  June  2013.] 

MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

the  parties. 

TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  all  parties  when  the 
Court  last  recessed  are  again  present  except  Captain  Whyte  is  absent 
and  Captain  Overgaard  is  present.  Also,  Your  Honor,  as  of  start  of 
court  this  morning  there  are  11  members  of  the  media  at  the  media 
operations  center,  there  are  two  stenographers  at  the  media 
operations  center.  There  are  no  media  in  the  courtroom.  There  are 
30  spectators  in  the  courtroom  and  also  there's  approximately  20 
spectators  coming  into  the  overflow  trailer.  Because  the  max  of  the 
trailer  is  35,  the  United  States  is  preparing  the  theater  in  case 
it's  needed  as  the  second  overflow  area  for  the  general  members  of 
the  public. 

MJ:  All  right.  Thank  you.  Have  the  parties  added  anything  to 
the  Appellate  Exhibit  List  that  we  need  to  set  forth  for  the  record? 
Major  Fein,  the  Prosecution  and  Defense  Exhibit  List  as  well. 

TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  yesterday  what's  been 
marked  as  Appellate  Exhibit  579  are  the  Post-Trial  and  Appellate 
Rights  of  the  accused,  dated  25  June  2013;  and  what's  been  marked  as 
Appellate  Exhibit  581  is  the  Defense  Witness  List  Order  for  the  first 
10  witnesses,  dated  25  June  2013.  And,  ma'am,  there  are  prosecution 
exhibits  but  as  we  —  they  are  Stipulations  of  Expected  testimony  and 
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as  we  move  forward  the  United  States  will  offer  those  to  account  on 
the  record. 

MJ:  All  right.  And  Mr.  Coombs,  I  assume  the  Post-Trial  and 

Appellate  Rights  is  just  there  to  ensure  that  it's  on  the  Appellate 
Exhibit  List.  We'll  go  over  that  some  other  —  later  on? 

CDC [MR.  COOMBS]:  That  is  correct.  Your  Honor. 

MJ:  Okay.  All  right.  Counsel  and  I  met  briefly  for  an  R.C.M. 

802  conference  prior  to  coming  on  the  record  today.  Once  again 
that's  where  I  discuss  logistics  and  scheduling  issues  and  other 
issues  that  might  arise  in  the  case.  At  that  Article  —  or  R.C.M. 
802  conference  I  asked  the  government  if  they  intended  to  go  forward 
with  Prosecution  Exhibits  31  Alpha  and  32  Alpha  that  they  had 
referenced  when  we  were  litigating  the  admissibility  of  Prosecution 
Exhibits  31,  32,  and  109  and  the  government  advised  me  that  they 
would  have  an  answer  for  the  Court  at  the  next  --  after  the  next 
recess.  Is  that  correct? 

TC [MAJ  FEIN]:  That’s  correct.  Your  Honor. 

CDC [MR.  COOMBS]:  Yes,  ma’am. 

MJ:  And  the  parties  also  advised  me  that  they  have  reached 

stipulations  of  expected  testimony  for  two  additional  witnesses,  but 
they  don’t  want  me  to  go  over  the  colloquy  with  PFC  Manning  until 
after  the  next  recess  as  well.  Does  either  side  desire  to  add 
anything  to  what  occurred  during  the  R.C.M.  802  conference? 
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TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  Is  there  anything  else  we  need  to  address  before  the  taking 

of  evidence? 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

TC[MAJ  FEIN]:  No,  Your  Honor.  May  the  government  have  a  brief 
moment? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  trial  counsel  consulted  with 
assistant  trial  counsel.] 

TC [MAJ  FEIN]:  Yes,  Your  Honor,  the  United  States  is  ready  to 
proceed.  Although  prior  to  this  session  the  United  States  intended 
to  read  a  Stipulation  of  Expected  Testimony  for  Miss  Tasha  Thian,  we 
will  forego  that  right  now  in  order  to  have  the  exhibits  properly 
brought  out  the  classified  exhibits  and  call  our  first  witness. 

MJ:  All  right.  Proceed. 

ATC [CPT  OVERGAARD] :  United  States  calls  Mr.  Charlie  Wisecarver. 

CHARLIE  WISECARVER,  civilian,  was  called  as  a  witness  for  the 
prosecution,  was  sworn,  and  testified  as  follows: 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  And  you  are  Mr.  Charlie  Wisecarver? 

A.  That's  correct. 
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A.  And  do  you  work  for  the  Department  of  State  in  Washington 

D.C.  ? 

A.  I  do. 

Q.  Can  you  tell  us  what  you  do  for  the  Department  of  State? 

A.  Currently  I'm  in  a  position  which  is  defined  as  when 
actually  employed  I'm  a  consultant  to  the  Department  of  State  at  this 
point  in  time.  I  retired  in  —  at  the  end  of  April  2011,  and  so  I 
began  consulting  with  them  in  September  11th,  it's  a  program  that 
they  have  that  allows  retirees,  retired  Foreign  Service  Officers  to 
come  back  and  work  on  a  part-time  basis  and  that's  what  I'm  doing 
now.  And  I'm  consulting  on  security  issues  primarily,  on  the  Federal 
Information  Security  Management  Act,  Certification  and  Accreditation 
Process  of  systems  in  infrastructure. 

Q.  And  is  that  what  you  do  —  That  is  what  you  do  as  a  WAE? 

A.  Uh,  huh,  that's  correct? 

Q.  Okay.  And  what  position  where  you  in  at  the  Department 
before  you  retired? 

A.  Just  prior  to  my  retirement  I  was  the  Principal  Deputy 
Chief  Information  Officer  and  Chief  Technology  Officer. 

Q.  And  what  does  that  mean? 

A.  In  the  Bureau  of  Information  Resource  Management,  you  have 
the  Chief,  Information  Officer.  I  was  the  number  2  person  in  the 
Bureau.  I  had  two  other  Deputy  Chief  Information  Officers  reporting 


9049 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


©  $ 


up  through  me  to  the  CIO.  I  was  responsible  for  all  IT  operations, 
personnel,  budget,  basically  everything  that  went  on  in  the  Bureau 


Q. 

And  what's  included  in  those  IT  operations? 

A. 

All  the  —  Certainly  the  infrastructure,  the  World  Wide 

Network 

that  we  manage,  280  posts  around  the  world  and  those 

operations  out  to  those.  The  messaging  systems,  the  email  systems 


payroll 

systems,  any  number  of  administrative  computer  types  of 

systems 

as  well,  and  those  types  of  operations. 

Q. 

And  how  long  were  you  in  that  position? 

A. 

As  a  the  Principal,  I  started  that  position  in  February  of 

2008,  and  then  prior  to  that  I  was  just  simply  the  Deputy  Chief 
Information  Officer  and  Chief  Technology  Officer  from  June  2006. 

Q.  And  was  that  —  Did  you  have  similar  responsibilities  in 
that  position? 

A.  I  did,  but  I  didn't  have  the  oversight  of  the  other  two 
Deputy  CIOs  at  that  point  in  time.  But  it  was  very  —  Department  of 
State  is  a  very  collaborative  agency  so  we  typically  work  together  at 
that  level  —  at  the  higher  levels  of  the  Bureau. 


Q. 

And  then  how  about  before  that,  what  were  you  doing? 

A. 

Prior  to  that  I  was  the  Program  Manager  for  a  new  messaging 

system. 

a  modernization  of  the  messaging  system  at  the  Department  of 

State,  it's  called  SMART,  State  Messaging  and  Archive  Retrieval 
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Toolset,  and  so  that  was  to  replace  the  legacy  messaging  systems.  I 
did  that  for  2  years. 

Q.  And  then  how  about  before  that? 

A.  Prior  to  that  I  was  the  Director  of  the  Messaging  Systems 
Office,  so  I  started  that  job  in  December  2000,  when  I  was  promoted 
to  the  Senior  Foreign  Service,  and  that  was  responsible  for  all 
email,  firewall,  messaging  systems,  mobile  access  systems. 

Q.  When  did  you  start  at  the  Department? 

A.  I  started  at  the  Department,  I  was  officially  brought  in  as 
a  Foreign  Service  Specialist  in  September  1987. 

Q.  And  what  was  your  first  assignment  there? 

A.  My  first  assignment  was  actually  in  the  Department  working 

on  another  messaging  system  that  connected  the  Secretary's  Office  to 
the  rest  of  the  Department.  And  then  really  my  first  true  Foreign 
Service  assignment  was  in  Mexico,  I  was  the  Information  Systems 
Manager  in  Mexico  City  responsible  for  the  nine  consulates  that  we 
had  at  that  point  in  time,  IT  operations. 

Q.  And  are  you  familiar  with  Net-Centric  Diplomacy? 

A.  I  am. 

Q.  How  are  you  familiar  with  Net-Centric  Diplomacy? 

A.  Well,  from  the  position  that  I  had  as  the  Deputy  Chief 
Information  Officer/Chief  Technology  Officer  it  fell  under  my 
purview,  responsibility  of  the  operations  and  maintenance  of  that 
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1  system.  I  was  an  occasional  user.  Primarily  when  someone  would 

2  complain  or  make  some  comment  about  the  system,  I  would  go  out  and 

3  use  it.  I  was  not  an  avid  user  of  the  system,  Net-Centric  Diplomacy, 

4  but  I  was  very  much  aware  of  it.  I  had  exercised  the  system  on 

5  occasionally. 

6  Q.  And  you  oversaw  the  system? 

7  A.  I  was  overall  responsible  for  the  smooth  operation  of  the 

8  system,  and  if  it  wasn't  running  well  I  heard  the  complaints. 

9  Q.  Can  you  tell  us  what  NCD  is,  what  Net-Centric  Diplomacy  is? 

10  A.  Net-Centric  Diplomacy,  it  started  off  post  9/11.  It  was  — 

11  The  original  program  name  was  under  Horizontal  Fusion  which  was  a  DoD 

12  program.  DoD  provided  some  money  to  our  intelligence  and  resource 

13  program  office  at  the  Department  of  State  to  make  information 

14  available  to  the  SIPRNET  community.  So  the  idea  was  that  there's  a 

15  wealth  of  information  that  needed  to  be  made  available  to  those  folks 

16  on  the  ground,  to  the  war  fighters,  and  so  that's  what  the  program 

17  started  out  as,  information  sharing  across  the  community,  both  the 

18  intel  community  and  the  Department  of  Defense  community. 

19  MJ:  What  was  the  name  of  that  again? 

20  WIT:  Horizontal  Fusion  was  the  original  banner  that  it  —  the 

21  moniker  that  it  came  under  and  that  was  in  2003. 

22  Q.  So  the  idea  you  said  was  to  make  information  more  readily 

23  available? 
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A.  Certainly.  If  you  look  at  the  legacy  process  of 
distributing  things.  Department  of  State  would  have  a  telegram 
drafted  by  a  political  officer,  say,  for  example,  in,  pick  a  post, 
Djibouti  or  wherever,  they  would  draft  that  telegram,  it  would  be 
sent  to  the  Department  of  State  com  center  and  then,  depending  on 
distribution,  they  may  say,  okay,  a  copy  of  this  should  also  go  to 
CENTCOM  or  other  DoD  elements  or  it  might  just  stay  within  Department 
of  State.  But  the  idea  was  it  went  to  another  com  center,  and  the 
distribution  there  was  haphazard,  in  some  cases;  again  you  had  the 
folks  on  the  ground  in  the  field,  kind  of  at  the  tip  of  the  sphere 
if  you  will,  so  the  idea  was  to  make  this  more  broadly  available, 
information  more  broadly  available  to  those  folks. 

Q.  And  when  was  NCD  actually  launched? 

A.  NCD  would  have  been  launched  probably  2004  timeframe;  it 
became  operational  in  its  infancy. 

Q.  And  when  did  you  actually  start  to  oversee  NCD? 

A.  It  would  had  been  in  2009  as  the  Deputy  Chief  Information 

Officer  when  IRM  took  over  responsibility  for  it. 

Q.  And  when  did  IRM  take  over  responsibility? 

A.  It  would  have  been  late  2009. 

Q.  And  you  were  the  head  of  - 

A.  Yeah,  there  was  a  negotiation  process  between  the  Bureau  of 
Resource  Management  the  Intelligence  and  Resource  Planning  Office, 
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which  had  it  originally,  they  gained  the  money  from  DoD,  they  brought 
it  up  through  its  inception,  they  worked  on  the  initial  requirements, 
and  then  we  and  my  Bureau  looked  at  it  and  said  why  are  these  folks 
running  a  messaging  program,  so  we  negotiated  at  the  Assistant 
Secretary  level  that  this  program  should  come  to  the  Bureau  of 
Resource  Management  —  to  the  Bureau  of  Information  Resource 
Management  under  my  purview. 

Q.  So  it  went  from  RM  to  IRM? 

A.  That's  correct. 

Q.  Okay. 

A.  Just  added  an  extra  letter. 

Q.  And  then  how  about  in  2010,  who  was  responsible  for  the 

maintenance  of  NCD,  was  that  still  you? 

A.  That  was  under  my  responsibility  until  the  time  I  retired. 

Q.  And  did  you  oversee  the  budget? 

A.  Yes,  I  did. 

Q.  Who  was  actually  responsible  for  the  day  to  day  maintenance 
of  the  system,  of  NCD,  in  late  2009? 

A.  Day  to  day  it  would  have  fallen  to  contractors  with 
government  oversight. 

Q.  And  how  about  2010? 
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A.  Same,  it  would  have  been  contractors  with  government 
oversight.  In  the  Bureau  of  Information  Resource  Management  we're  60 
percent  contractors  and  40  percent  FTE. 

Q.  And  what  contractors  did  you  have  working  on  NCD  in  late 

2009? 

A.  It  would  have  been  CITI  I  believe  was  the  contractor  that 
was  working  on  that. 

Q.  What  did  they  do? 

A.  They  were  primarily  doing  some  program,  we  had  some 
programmer  type  folks,  system  administrator,  database  administrator 
and  some  other  low  level.  There  were  some  training  folks  that  were 
involved.  I  don't  know  if  they  were  still  involved  in  2009,  but  we 
also  had  a  kind  of  mini  help  desk  at  that  point  in  time  to  answer 
user  gueries. 

Q.  And  how  much  did  those  contractors  get  paid  in  late  2009? 

A.  I  think  the  budget  at  that  point  in  time  when  IRM  - 

CDC [MR.  COOMBS]:  Objection,  Your  Honor,  at  this  point  he 

hasn't  been  gualified  as  an  expert,  but  I  would  voir  dire  on  that 
expertise  once  the  government  has  completed  its  foundation. 

MJ:  All  right.  Why  don't  you  complete  your  foundation  and  I'll 

allow  the  defense  to  voir  dire  and  then  we  will  continue? 

Q.  Did  you  oversee  the  budget  in  late  2009? 
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A.  I  was  responsible  for  the  complete  IRM  budget,  certainly 
the  operations  side,  so  any  of  the  programs  that  fell  under  that, 
yes . 

Q.  And  you  saw  budget  requests? 

A.  I  saw  budget  requests  and  I  saw  the  actual  spend  levels  for 
all  of  the  programs  that  were  under  my  purview. 

Q.  And  you  actually  had  to  monitor  those  spend  levels  in  2010 
as  well? 

A.  Certainly  as  it  got  closer  to  the  end  of  the  fiscal  year, 
we  would  watch  how  my  —  here  is  the  budget  allotment  for  this 
particular  project  and  here's  how  the  spend  is,  and  what's  the  spend 
plan  to  make  sure  that  the  money  is  —  is  appropriately  used  prior  to 
the  end  of  the  fiscal  year. 

Q.  And  do  you  know  in  late  2009  that  you  had  programmers  and 
low  level  technicians  like  you  said  or  a  technician? 

A.  Yes.  I  mean  you  can't  run  a  system  without  having  that 
level  of  assistance.  You  couldn't  put  a  computer  system  out  there,  a 
large  database  out  there  without  having  those  types  of  personnel  that 
the  —  the  mechanics,  if  you  will,  for  systems  to  manage  and  maintain 
the  system. 

Q.  And  that  was  the  same  in  2010? 

A.  Yes. 
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Q.  And  would  you  have  approved  —  Well,  would  that  have  been  a 
line  in  the  spend  levels  that  you  reviewed? 

A.  Yes.  Under  the  Messaging  Systems  Office  there  would  have 
been  a  line  item  for  Net-Centric  Diplomacy. 

Q.  Which  you  approved? 

A.  Yes. 

Q.  And  do  you  know  how  much,  approximately  how  much  those 
programs  —  those  technicians  made? 

A.  For  the  database  - 

MJ:  I'm  going  to  allow  - 

ATC [CPT  OVERGAARD] :  Sorry,  it's  just  a  yes  or  no  question, 

sorry,  ma'am. 

MJ:  All  right.  Go  ahead,  you  can  answer  that  one. 

Q.  Repeat  the  question. 

Q.  I'm  sorry.  Do  you  know  how  much  the  help  —  the  mini  help 
desk  that  you  talked  about,  do  you  know  approximately  how  much  the 
contractors  were  paid  that  were  part  of  that  —  without  giving  a 
number,  just  yes  or  no. 

A.  Yes. 

ATC [CPT  OVERGAARD]:  We  don't  intend  to  qualify  him  as  an  expert, 
ma'am,  just  a  fact  witness  based  on  what  he  saw  in  the  budget 
requests . 
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MJ:  All  right.  And,  Defense,  do  you  still  want  to  voir  dire  if 

they're  not  going  to  qualify  him  as  an  expert? 

CDC [MR.  COOMBS]:  If  they're  not  going  to  qualify  him  as  an 

expert,  then  more  than  likely  I  think  it  would  be  a  hearsay  objection 
to  the  information. 

ATC [CPT  OVERGAARD] :  He  said  he  actually  reviewed  the  budget 
requests  and  the  line  items  in  the  budget  request,  ma'am. 

CDC [MR.  COOMBS] :  I  could  voir  dire  on  this  to  show  why  it 

would  be  hearsay. 

MJ:  You  can  have  it  on  cross-examination.  I  don't  agree  that 

it's  hearsay.  It's  not  a  statement.  Are  you  going  to  show  him  some 
documents? 

ATC [CPT  OVERGAARD]:  No,  ma'am. 

CDC [MR.  COOMBS]:  In  this  case,  Your  Honor,  if  the  defense  can 

be  heard. 

MJ:  Go  ahead. 

CDC [MR.  COOMBS]:  The  position  that  Mr.  Wisecarver  occupied, 

whatever  information  he  would  be  seeing  would  be  forms  from 
individuals  that  were  several  echelons  below  him,  and  they  would 
indicate  the  amount  of  money  that  they  might  need,  sometimes 
overestimate  that,  and  so  it  would  be  statements  from  these 
individuals  saying  here's  how  much  money  we  need  to  do  X,  Y  and  Z. 

And  then  it  would  be  brought  up  to  his  level.  He  wasn't  actively 
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looking  at  Net-Centric  Diplomacy  database  saying  this  is  how  much 
money  we  need,  this  is  what  we  need  to  do.  So  in  that  regard  it's  a 
statement  by  those  individuals  saying  here's  how  much  money  we  need 
for  X,  how  much  money  we  need  for  Y. 

MJ:  All  right.  I'm  going  to  overrule  the  objection  and  you  can 

cover  that  in  cross-examination.  Proceed. 

Questions  continued  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  So  then  who  was  working  at  the  mini  help  desk  that  you  were 
talking  about  in  late  2009,  early  2010? 

A.  Who  was  in  —  I  do  not  know  the  individual's  - 

Q.  No,  not  their  names,  but  just  their  positions,  sir. 

A.  It  would  have  been  a  low  level  technical  type  of  position. 

Q.  And  how  much  would  that  person  get  paid? 

A.  Typically  that  would  be  in  the  65  —  $65,000  to  $70,000, 
range,  somewhere  in  there. 

Q.  And  at  the  —  You  said  you  were  monitoring  the  spend  levels 
at  the  end  of  2010.  Did  you  ensure  that  all  that  money  was  spent? 

A.  Uh-huh.  That  it  had  to  be  obligated,  the  money  had  to  be 
obligated  by  the  end  of  the  fiscal  year. 

Q.  And  when  the  money  is  obligated,  then  what  follows? 

A.  Then  it  would  be  —  Then  the  contractor  can  invoice  against 
—  against  that  obligation  document  and  it  would  be  liquidated.  For 
all  intents  and  purposes  from  my  standpoint  the  money  was  spent. 
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Q.  Okay.  And  was  that  over  $1,000.00  that  was  spent  on  your 
budget? 

A.  For  the  Net-Centric  Diplomacy  program? 

Q.  Yes.  In  2010. 

A.  Yes.  It  would  have  well  exceeded  that. 

Q.  Can  you  tell  us  what  networks  Net-Centric  Diplomacy  was 
located  on? 

A.  It  was  located  on  the  SIPRNET  network  and  on  JWICS,  the  Top 
Secret  network,  so  the  Secret  High  and  the  Top  Secret  network. 

Q.  And  what  types  of  information  were  on  NCD? 

A.  It  would  be  information  that  the  drafting  officers  of  those 
messages  had  deemed  appropriate  for  sharing  outside  Department  of 
State  channels. 

Q.  So  what  are  some  examples  of  —  So,  drafting  messages,  is 
that  what  you  said? 

A.  The  drafting  officer  would  make  that  determination  for 
something  like  that.  So  it  might  have  been  a  meeting  with  the 
foreign  minister,  for  example,  on  some  type  of  negotiation,  some  type 
of  treaty,  various  things.  It  could  have  been  just  biographical 
sketches,  here's  the  presidential  race  outside  the  United  States,  so 
pick  a  country  where  there  was  actually  some  type  of  election  going 
on,  here's  the  candidate  and  their  stances  on  various  issues. 
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Q.  And  did  other  government  organizations  and  agencies  use 

NCD? 

A.  Primarily  it  was  those  who  had  access  to  SIPRNET .  Of  the 
civilian  agencies  there  were  not  that  many  that  had  access  to 
SIPRNET.  It's  primarily  the  Department  of  Defense  and  the  Intel 
community. 

Q.  How  was  NCD  actually  populated  in  the  first  part  of  —  in 
the  end  of  2009,  and  the  first  part  of  2010? 

A.  The  message  would  come  from  the  drafting  officer,  from  the 
post  overseas  into  the  Department  of  State  com  center,  communications 
center  there.  It  would  review  those  messages  for  the  appropriate 
caption  and  then  it  would  be  fed  over  to  the  NCD  database  - 

Q.  And  what  was  the  - 

A.  all  electronic. 

Q.  What  was  that,  sir? 

A.  All  electronic. 

Q.  And  what  was  the  appropriate  caption? 

A.  SIPDIS .  S-I-P,  standing  for  SIPRNET,  D-I-S  standing  for 
distribution. 

Q.  And  what  is  a  caption? 

A.  Caption  is  a  means  of  determining  who  should  or  perhaps 
should  not  get  a  particular  message.  So  captions  could  be  --  We  have 
certain  captions  for  State  Department  distribution  only.  We  have 
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captions  that  might  be  medically  privileged  information,  so  that 
would  be  actually  restrictive,  that  other  officers  would  not  have 
access  to  that  information  unless  they  were  a  medical  officer.  We 
have  other  exclusive  channels  that  —  for  the  Secretary's 
communications . 

Q.  And  you  said  SIPDIS  was  SIPRNET  distribution? 

A.  Yes,  that's  correct. 

Q.  So  what  does  that  mean? 

A.  So  it  means  that  the  drafting  officers  and  the  clearing  and 
approving  officers  overseas  have  looked  at  this  and  said  this  is  of 
general  interest  outside  the  Department  of  State.  This  is  a  general 
interest  that's  appropriate  for  posting  on  to  the  SIPRNET  NCD 
database  and  JWICS. 

Q.  And  just  so  we  can  understand  how  SIPDIS  would  actually 
work,  could  you  walk  us  through  how  a  cable  is  actually  drafted  on 
the  screen  and  what  fields  they  fill  in? 

A.  Sure.  So  first  field  that  you  have  to  fill  out  is  the 
classification.  Is  it  Unclassified,  Confidential,  Secret,  or  Top 
Secret?  And  Top  Secret,  of  course,  is  only  on  certain  types  of 
messages.  Until  you  put  in  the  approving  officer,  you  put  in  the 
clearing  officers,  there  will  be  a  series  of  clearing  officers  as 
well,  folks  who  we  view  or  made  various  changes  to  it  or  said,  yes, 
this  is  factual.  Then  it  would  be  the  drafting  officer.  Underneath 
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that  you  would  have  the  tags  which  is  —  are  the  terms  and  geographic 
subjects  information  associated  with  it  that  was  also  used  for 
distribution  purposes  within  the  Department  of  State.  And  it  might 
distribute  it  —  it  might  differentiate  between  a  political  tag  or  an 
administrative  tag,  for  example.  Then  you  would  also  have 
declassification  information  if  that  was  appropriate.  There  was  the 
executive  order  for  classification  line  in  there  as  well,  the 
subject,  and  then  finally  the  text  of  the  message,  and  then 
ultimately  it  was  signed  by  the  Ambassador  at  that  mission  overseas 
or  by  Sec  State  in  the  case  of  —  the  Secretary  of  State  in  case  of 
outbound  message  from  Washington.  So  they  would  draft  that  message, 
they'd  put  all  that  information  in  there,  it  would  go  around  for  the 
clearance  process.  This  could  take  days,  weeks  or  it  might  just  be 
done  very  quickly  depending  on  the  nature  of  the  message,  how 
controversial  it  might  be,  so  it  goes  through  the  clearance  process. 
And  then  finally  all  those  changes  —  all  the  clears  were  on  there 
and  it  goes  to  the  approving  officer  who  would  say,  yay,  nay,  and 
then  it  would  be  transmitted  from  the  com  center  back  to  the 
Department  of  State. 

Q.  So  the  cable  is  marked  SIPDIS  on  the  fields  and  sent. 

Where  would  it  go? 
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A.  SIPDIS  would  go  to  Department  of  State,  that  distribution 
would  be  made  in  the  Department  of  State,  and  additionally  a  feed 
would  be  given  over  to  Net-Centric-  Diplomacy. 

Q.  So  it  would  feed  into  Net-Centric  Diplomacy? 

A.  Uh-huh. 

Q.  And  when  was  that  SIPDIS  caption  created,  do  you  remember? 

A.  That  was  created  at  the  outset  of  the  program.  We  had  to 
have  a  way  of  differentiating  what  would  go  off  Department  of  State's 
networks . 

Q.  Do  you  know  why  it  was  created? 

A.  Again,  it  was  to  —  it  was  so  that  the  officers  had  a  clear 
understanding  that  this  is  a  message  that  should  be  shared  outside  of 
normal  Department  of  State  areas. 

Q.  Were  there  any  other  ways  that  cables  were  uploaded  into 

NCD? 

A.  There  was  a  capability  that  if  you  —  if  you  were  a  user  of 
Intelink  and  you  had  a  passport,  which  basically  was  a  user  ID  and 
password,  then  you  could  upload  messages  as  well  into  NCD. 

Q.  So  there  could  be  cables  in  NCD  that  aren't  SIPDIS? 

A.  That's  correct. 

Q.  At  the  end  of  2009  and  the  first  part  of  2010,  how  would  a 
user  actually  get  to  the  NCD  database  if  they  were  on  SIPRNET? 

A.  They  would  go  to  the  NCD  website  and  that  would  be  it. 
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Q.  So  how  would  they  get  there? 

A.  A  lot  of  folks  had  a  bookmark,  they  knew  what  the  NCD 
address  was.  I  didn't  particularly  know  what  it  was,  but  I  could  do 
a  search  out  there  and  find  my  way  to  it. 

Q.  So  you  could  search  on  SIPRNET  and  find  it? 

A.  Yes,  you  could  search  on  NCD,  uh-huh. 

Q.  Once  someone  got  to  NCD,  if  they  wanted  to  find  a  specific 

cable,  for  example,  how  could  they  have  done  that? 

A.  If  they  knew  what  the  cable  number  was,  they  could  actually 
put  that  in  in  the  search  box,  it's  very  similar  to  the  way  the 
Internet  works  today  as  in  Google  or  Bing  or  whatever  your  search 
engine  is,  or  you  could  search  for  a  particular  word,  string,  or 
whatever  else,  you  could  search  them  that  way. 

Q.  So  if  someone  did  a  general  search,  what  would  it  look  like 
when  the  results  came  back? 

CDC[MR.  COOMBS]:  Objection,  Your  Honor.  The  testimony  now  is 

going  into  the  technical  aspects  of  Net-Centric  Diplomacy  database. 
It's  beyond  the  level  of  701  and  we're  going  to  be  going  into  702 
now,  especially  if  counsel  is  going  to  start  asking  questions  about 
how  the  Net-Centric  Diplomacy  database  did  or  did  not  give  access  to 
individuals . 

MJ:  Are  you  going  to  qualify  this  witness  as  an  expert  or  not? 
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ATC [CPT  OVERGAARD] :  No,  ma'am.  We're  just  talking  about  his 
firsthand  knowledge  of  what  NCD  looked  like,  what  you  would  do  on 
NCD,  how  a  search  result  would  come  back,  what  you  could  do  on  NCD. 

CDC [MR .  COOMBS]:  I  believe.  Your  Honor,  that  the  witness 

testified  that  he  rarely  used  Net-Centric  Diplomacy  Database, 
occasionally  he  went  on  it.  If  they  want  to  limit  it  to  his 
knowledge  of  the  searches  that  he  did,  his  firsthand  experience, 
fine.  But  counsel's  not  doing  that,  counsel  is  asking  how 
individuals  would  access  Net-Centric  Diplomacy  Database,  how  they'd 
do  queries,  how  they'd  do  searches.  That  is  the  appropriate 
testimony  of  an  expert. 

ATC [CPT  OVERGAARD]:  The  witness  stated,  ma'am,  that  he  used  NCD, 
he's  aware  of  what  it  looked  like,  he  didn't  use  it  constantly,  but 
he  used  it,  and  every  time  there  was  problems  he  logged  on  - 

MJ:  I  think  the  defense  objection  is  you're  asking  a  general 
question  of  how  everyone  else  used  it.  If  you  don't  want  to  qualify 
this  witness  as  an  expert,  then  tailor  your  questions  to  his  own 
personal  use. 

ATC [CPT  OVERGAARD]:  Yes,  ma'am. 

Questions  continued  by  the  assistant  defense  counsel  [CPT  OVERGAARD] : 

Q.  So  when  you  did  a  search  on  NCD,  what  would  the  results 
look  like  when  you  got  them  back? 
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A.  It  would  be  the  same  as  if  I  did  a  Google  search  on  the 
Internet.  It  would  come  back  with  those  messages  that  met  the 
criteria  of  my  search. 

Q.  So  how  would  that  appear,  would  it  be  just  a  list  of? 

A.  It  would  have  a  list  of  messages,  M-R-N,  date,  subject 

line . 


Q.  And  then  how  would  you  actually  - 

MJ:  What  is  an  M-R-N? 

WIT:  I'm  sorry.  Message  resource  number.  It's  a  unique 
identifier.  It's  a  combination  of  the  originating  post  and  date 
time.  Date  time  group  I  think  is  how  it's  used  in  the  military,  DTG. 

Q.  And  if  you  wanted  to  open  a  cable,  how  would  you  do  that? 

A.  You  would  just  simply  click  on  that  link. 

Q.  Could  you  download  a  cable? 

A.  There  was  a  feature  to  similar  to  —  I  mean  it's  in  the 
Internet  Explorer  bar  is  to  file,  save,  yes. 

Q.  How  would  you  do  that? 

A.  Go  up  to  the  file,  go  down  to  save  from  the  browser. 

Q.  On  the  actual  browser  you  would  just  go  to  the  save  as  in 

the  drop  down? 

A.  Uh-huh. 

Q.  Could  you  download  multiple  cables? 
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CDC [MR.  COOMBS]:  Objection,  Your  Honor.  Again,  now  I'll 

object  to  relevance  and,  again,  what  counsel  is  really  doing  is 
trying  to  have  this  witness  testify  as  to  how  the  process  of  Net- 
Centric  Diplomacy  Database  worked. 

MJ:  And  this  witness  uses  the  Net-Centric  Diplomacy  Database, 

correct? 

CDC [MR.  COOMBS]:  If  I  could  voir  dire  in  aid  of  my  objection. 

MJ:  You  can  do  it  on  cross-examination. 

CDC [MR.  COOMBS]:  Then  I  would  object  then  at  this  point  to 

relevance  on  what  the  counsel  is  asking. 

MJ:  Overruled.  Proceed. 

Questions  continued  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  Were  you  able  to  download  multiple  cables  at  once  from  NCD 
in  late  2009,  early  2010? 

A.  No.  I'd  only  do  one  at  a  time.  Same  thing  for  printing. 

Q.  In  your  role  as  DCIO,  did  you  also  oversee  the  auditing 
capabilities  of  Department  of  State  programs,  for  those  under  IRM? 

A.  Yes,  for  any  auditing  that  was  being  done,  yes,  I  would 
oversee  that. 

Q.  What  does  that  —  What  did  that  include? 

A.  I  mean  it's  the  whole  authentication  process  as  you  first 
try  to  authenticate  to  the  network,  you  log  on  to  the  network,  you're 
either  accepted  or  rejected  at  that  point  in  time. 


9068 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Q.  Okay.  Did  you  ever  see  firewall  logs  or  firewalls? 

A.  Firewalls,  okay,  different,  yes,  absolutely.  Firewalls  — 
The  firewall  staff  worked  for  me  and  so,  yes,  I  saw  firewall  logs. 

In  fact,  in  my  job  as  the  Messaging  Systems  Office  Director  I  spent 
guite  a  bit  of  time.  We  had  constant  attempts  to  hack  into  our 
network  at  the  Department  of  State. 

Q.  Were  you  ever  asked  to  collect  firewall  logs  —  firewall 
audit  data  for  this  case? 

A.  Yes. 

Q.  And  what  in  general  do  those  firewall  logs  show? 

A.  It  was  an  IP  address.  It  was  the  —  We  were  looking  for 
any  hits  to  the  NCD  IP  address,  and  then  where  those  were  actually 
going  to,  the  destination  IP  address. 

Q.  And  do  you  remember  when  that  was? 

A.  I  don't  remember  the  specific  IP  address,  no. 

Q.  No.  Do  you  remember  the  time? 

A.  Timeframe,  that  would  have  been  October  of  2010. 

Diplomatic  security  actually  requested  that,  law  enforcement  Army 
Department  of  State  Diplomatic  Security  asked  me  for  that 
information . 

Q.  Do  you  remember  who  in  particular? 

A.  Ron  Rock  was  the  gentleman. 

Q.  And  who  pulled  those  logs  for  you? 
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A.  Jerry  Mundy  burnt  CDs  of  those  logs  for  me. 

Q.  And  he  gave  those  CDs  to  you? 

A.  He  gave  the  CDs  to  me. 

Q.  And  who  did  you  give  those  CDs  to? 

A.  They  went  to  my  safe  and  then  Ron  Rock  came  and  picked  them 

up. 

Q.  So  they  were  secured  while  they  were  in  your  possession? 

A.  They  were  in  my  safe,  yes. 

Q.  And  you  did  not  alter  them  in  any  way? 

A.  I  did  not  alter  them. 

ATC [CPT  OVERGAARD] :  One  moment,  please. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  consulted 
with  trial  counsel . ] 

Questions  continued  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  Was  NCD  available  on  any  network  besides  SIPRNET  and  JWICS? 
A.  No.  Not  to  my  knowledge. 

Q.  There  wasn't  a  non-classif ied  NCD? 

A.  No. 

ATC [CPT  OVERGAARD]:  Okay.  Thank  you. 

MJ:  Cross-examination? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 
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CROSS-EXAMINATION 

Questions  by  the  civilian  defense  counsel  [MR.  COOMBS] : 

Q.  Mr.  Wisecarver,  good  morning. 

A.  Good  morning. 

Q.  The  NCD  database  was  not  developed  at  the  Department  of 
State,  correct? 

A.  Yes,  it  was  developed  at  the  Department  of  State. 

Q.  Well,  the  Information  Resource  Management  did  not  design  or 
create  the  Net-Centric  Diplomacy  Database;  that  was  contracted  out? 

A.  It  was  contracted  out,  but  it's  still  considered  a 
government  system. 

Q.  Right.  So  maybe  it's  just  semantics.  The  database  was 
designed  and  created  by  Creative  Information  Technology  Incorporated 
(CITI ) ? 

A.  They  were  the  contractor.  They  were  the  primary 
contractor. 

Q.  And  they  designed  and  created  NCD,  correct? 

A.  Based  on  specifications  from  Department  of  State,  based  on 
the  task  order,  yes. 

Q.  All  right.  And  CITI  is  a  private  company? 

A.  To  the  best  of  my  knowledge,  yes. 

Q.  And  they  were  hired  to  develop  and  deploy  the  Net-Centric 
Diplomacy  Database  for  the  Department  of  State? 
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A.  Uh-huh. 

Q.  In  the  2006  timeframe  you  served  as  the  Deputy  Chief  for  IT 
Operations  and  the  Chief  Technology  Officer  for  Department  of  State. 
Is  that  correct? 

A.  Deputy  Chief  Information  Officer,  I  got  that  position  in 
June  of  2006. 

Q.  And  during  that  time  you  were  not  working  with  CITI  on  the 
design  specifications  for  the  Net-Centric  Diplomacy  Database? 

A.  No,  I  was  not. 

Q.  Instead,  your  focus  obviously  was  on  the  overall 
requirements  of  your  office? 

A.  Uh-huh. 

Q.  Since  you  were  not  focused  on  the  design  specifications, 
you  did  not  contribute  to  the  design  scope  of  what  the  NCD  database 
would  be.  Is  that  correct? 

A.  That's  correct. 

Q.  You  did  not  contribute  to  CITI's  logical  design  for  the 
Net-Centric  Diplomacy  Database? 

A.  I  did  not. 

Q.  And  the  logical  design  of  the  database  would  identify  data 
elements  and  enable  users  to  either  find  data  based  upon  some 
designated  key.  Is  that  correct? 


9072 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


0 


A.  That's  your  definition  —  yeah,  I  mean  it's  the  user 
specifications  types  of  things.  So  they  would  take  those  user 
requirements,  the  specifications  provided  by  the  Department  of  State 
officers  and  program  into  that,  yes. 

Q.  And  you  did  not  participate  in  CITI's  technical 
optimization  of  the  NCD  database  as  well? 

A.  I  did  not. 

Q.  And  the  technical  optimization  is  the  physical  database 
itself,  physical  database  design.  Is  that  correct? 

A.  Uh-huh.  I  did  not  participate  in  that  design. 

Q.  Right.  But  I'm  just  asking  the  technical  optimization, 
that  is  the  physical  database  design.  Is  that  correct? 

A.  Again,  that's  a  potential  definition. 

MJ:  Do  you  know  or  not? 

WIT:  I'm  not  sure.  I  mean,  the  tech  —  what's  the  —  repeat 
that  again  then,  please. 

Q.  Right.  So  when  someone's  designing  a  database,  the 
technical  optimization  of  the  database,  that's  the  physical  database 
design? 

A.  Technical  optimization,  that's  not  how  I  would  define  - 

Q.  How  would  you  define? 

A.  -  as  the  database  default.  Optimization  is  improving 

performance,  improving  the  throughput  of  the  system.  The  design 
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would  have  already  been  done,  the  technical  design,  but  how  could  we 
improve  it  would  be  optimization  in  my  mind. 

Q.  All  right.  Would  you  agree  with  me  that  the  technical 
optimization  would  control  what  functions  a  user  could  and  could  not 
perform  on  the  database? 

A.  No.  That's  not  technical  optimization  in  my  mind  at  all. 

Q.  What  is  it  in  your  mind? 

A.  Those  types  of  things?  Those  are  user  requirements.  Those 
are  basic  requirements. 

Q.  All  right.  So  basic  requirements  of  the  database  would 
control  what  a  user  could  and  could  not  do? 

A.  That's  correct. 

Q.  And  you  did  not  participate  in  the  design  of  that? 

A.  I  didn't,  that's  correct. 

Q.  Is  that  right? 

A.  That's  correct. 

Q.  Now,  with  regards  to  the  costs. 

MJ:  Did  you  say  it  was  a  prosecution  exhibit  or  a  defense 

exhibit? 

CDC [MR .  COOMBS]:  I'm  sorry. 

Q.  Mr.  Wisecarver,  I'm  showing  you  what's  been  marked  as 
Defense  Exhibit  November  for  Identification.  Can  you  tell  me  if  you 
recognize  this? 
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A.  Uh-huh.  I  do. 

Q.  And  what  is  that? 

A.  It's  a  Foreign  Affairs  Manual  for  the  Department  of  State. 

Q.  And  what  is  the  Foreign  Affairs  Manual? 

A.  It  consists  of  regulations  of  Department  of  State.  It 
gives  the  organizational  structure  of  the  Department  of  State, 
various  policies  and  procedures. 

Q.  And  that  particular  section  of  the  Foreign  Affairs  Manual, 
what  does  that  cover? 

A.  This  is  the  Bureau  of  that  I  was  responsible  for,  the 
Bureau  of  Information  Resource  Management. 

CDC [MR.  COOMBS]:  Retrieving  Defense  Exhibit  November  from  the 
witness.  Permission  to  publish,  ma'am? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  civilian  defense  counsel  published 
the  exhibit  to  the  Court.] 

Q.  Mr.  Wisecarver,  I'm  going  to  show  you  two  pages  from  this. 
It's  basically  Page  33,  and  that  has  a  large  print.  All  right.  So 
we  will  start  with  Page  33  and  then  we're  going  to  carry  over  to  34, 
okay?  So  33  at  the  very  bottom  of  that,  what  is  that  —  is  that  the 
position  that  you  were  in  at  one  point? 

A.  Deputy  Chief  Information  Officer.  This  is  somewhat  dated, 

I  believe,  but  okay. 
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1  Q.  And  you  can  —  we're  going  to  talk  about  some  of  the 

2  information  that  you  think  might  need  to  be  corrected,  okay? 

3  A.  Uh-huh. 

4  Q.  And  then  going  here  carrying  over  to  34? 

5  MJ:  Before  we  proceed,  can  I  ask  you  something?  You're 

6  answering  the  questions  uh-huh.  That's  very  hard  for  the  court 

7  reporter.  If  you  can  answer  them  either  yes  or  no. 


8 

WIT: 

I'm  sorry. 

Be 

clear,  yes,  ma'am. 

9 

MJ: 

Thank  you. 

10 

WIT: 

Yes,  ma'am. 

11 

Q. 

All  right. 

So 

then  when  we  carry  over  to  Page  34  and  I 

12  know  there's  a  lot  there,  but  would  you  agree  with  me  that  Page  34 

13  kind  of  outlines  the  various  requirements  of  your  position? 

14  A.  That's  the  overall  responsibilities  of  my  positions,  yes. 

15  Q.  And  this  is  essentially  just  kind  of  a  broad  brush  of 

16  everything  that  you  would  be  responsible  for? 

17  A.  Yes,  that's  correct. 

18  Q.  And  obviously  right  here,  even  though  and  we'll  cover  in  a 

19  moment  how  it  kind  of  fell  under  your  purview,  this  doesn't  highlight 

20  the  Net-Centric  Diplomacy  Database  or  budgetary  issues  for  that.  Is 

21  that  correct? 

22  A.  That's  correct.  It  doesn't  call  out  any  particular  system. 
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1  Q.  What  I'd  like  to  now  show  you  is  Page  78.  All  right.  Now, 

2  this  is  a  little  hard  to  see,  but  I'm  going  to  zoom  in.  First  of 

3  all,  have  I  shown  this  to  you  before? 

4  A.  Yes,  you  did. 

5  Q.  And  can  you  tell  Colonel  Lind  what  this  is? 

6  A.  This  is  the  Bureau's  organizational  chart.  It  shows  the 

7  structure.  It's  dated  2008,  but  it  was  not  current  at  that  time. 

8  Q.  All  right.  And  let's  explain  how  it  changed.  So  as  this 

9  is  designed  now,  is  this  the  current  design? 

10  A.  Yeah.  This  is  probably,  I  don't  know  all  the  details  of 

11  the  various  boxes,  but  this  is  probably  closer  to  the  organizational 

12  chart  today,  yes. 

13  Q.  And  then  in  the  2009/2010,  timeframe  when  you  were  the 

14  deputy  CIO,  how  was  this  different? 

15  A.  What  would  have  happened  is  off  that  Chief  Information 

16  Officer  box  there  it  came  down  to  the  Principal  Deputy  Chief 

17  Information  Officer  which  had  been  me,  and  then  the  two  DCIO  boxes  or 

18  the  DCIO  for  business  planning  and  customer  assurance  or  service. 

19  And  then  the  Office  of  Information  Assurance,  Chief  Information 

20  Security  Officer,  would  have  reported  up  to  me,  through  me  to  the 

21  Chief  Information  Officer. 
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1  Q.  All  right.  So  when  you  were  the  Principal  Deputy  then,  all 

2  these  boxes  here  below  the  CIO  essentially  would  have  fallen 

3  underneath  you? 

4  A.  That's  correct. 

5  Q.  How  many  employees  did  you  have  essentially  working  for  you 

6  when  you  were  the  Principal  Deputy? 

7  A.  Employees  or  overall?  I  mean  look  at  the  contract  staff 

8  and  the  employees,  it  was  in  excess  of  1500. 

9  Q.  Okay.  And  so  if  we  take  out  —  so  1500  people  working  for 


10 

you 

as 

the  Principal  Deputy? 

11 

A. 

Right.  Right. 

12 

Q. 

And  I  imagine  then  when  these  individuals  are 

working  for 

13 

you, 

.  you  have  the  general  oversight  of  them,  but  you're 

not  in  the 

14 

day 

to 

day  weeds  of  their  particular  job.  Is  that  correct? 

15  A.  That  would  generally  be  correct.  It  would  depend  on  the 

16  type  of  the  program.  If  it  was  a  hot  button  type  program,  I  probably 

17  would  be  in  the  weeds  on  it.  If  it  was  a  major  failure,  email  wasn't 

18  working,  people  couldn't  access  the  Internet,  yes,  I  would  be  looking 

19  very  closely  scrutinizing  what  was  going  on. 

20  Q.  Now,  with  regards  to  the  Net-Centric  Diplomacy  Database, 

21  the  information  that  you  have  regarding  any  sort  of  expenses  for  that 

22  is  based  upon  what  others  have  briefed  to  you.  Is  that  correct? 

23  A.  Or  documents  that  were  sent  to  me  for  approval. 
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1  Q.  And  those  documents  were  documents  that  others  prepared  for 

2  you? 

3  A.  Yes.  They  would  be  budget  requests. 

4  Q.  And  my  understanding  is  essentially  those  budget  requests 

5  that  were  coming  up  to  you,  unfortunately  this  is  kind  of  the  way, 

6  and  you  tell  me  if  you  agree,  the  way  the  government  works,  those 

7  budget  requests  would  be  elevated  somewhat.  Is  that  correct? 

8  A.  It's  not  unusual  for  --  Again,  you  could  do  so  much.  So  a 

9  program  office  wants  to  do  the  best  they  can  for  their  system,  so 

10  they'll  shoot  for  the  sky.  They'll  put  in  there  as  much  as  they  can. 

11  They  want  to  build  that  perfect  nirvana  kind  of  system  or  whatever, 

12  so,  yes.  Inflated,  well,  that's  kind  of  derogatory  in  a  sense, 

13  that's  a  little  bit  negative,  but  it's  not  unusual  for  some  padding 

14  to  take  place  in  the  budget  request. 

15  Q.  And  I  guess  the  idea  for  padding  is  let's  ask  for  more  that 

16  we  might  actually  need  and  then  it  might  get  cut  back  and  we'll  be  in 

17  a  position  where  we're  okay. 

18  A.  That's  true.  But  the  padding  had  to  be  justified  as  well 

19  in  the  narrative  of  the  budget  request. 

20  Q.  Now,  with  regard  to  the  Net-Centric  Diplomacy  Database,  you 

21  indicated  that  in  late  2009  the  IRM  started  to  take  control  of  that. 

22  A.  Uh-huh. 
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Q.  That's  when  you  were  basically  in  the  conversation  to  take 
control  of  it.  The  actual  taking  control  of  the  Net-Centric 
Diplomacy  Database  didn't  take  place  until  August  of  2010.  Is  that 
correct? 


A.  I  don't  know  that  fact.  I  believe  --  I  thought  it  was  late 
2009  that  we  took  over  responsibility  for  the  program. 

Q.  Okay.  So  from  your  memory,  you  think  it's  late  2009? 

A.  Uh-huh.  That's  correct. 

Q.  Now,  when  you  did  take  over  the  responsibility  for  it,  you 
weren't  directly  handling  the  budgetary  issues  for  the  Net-Centric 
Diplomacy  Database,  you  were  relying  upon  others  to  do  that  for  you? 

A.  As  with  all  programs  at  Department  of  State. 

Q.  So  any  information  that  you  had  regarding  funding  for  the 
Net-Centric  Diplomacy  Database  was  based  upon  information  from 
others? 


A.  The  budget  request  would  come  to  me  for  approval. 

Q.  Right.  So  you  - 

A.  I  didn't  prepare  the  budget  request  if  that's  what  you're 


asking . 

Q.  Got  it.  Now,  let's  talk  about  the  Net-Centric  Diplomacy 
Database.  That  was  built  with  information  sharing  as  a  priority? 
A.  Correct. 
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Q.  When  the  NCD  Database  was  deployed  on  SIPRNET  in  late  2006, 
there  were  no  individual  user  level  authentication  or  authorization 
mechanisms  in  place? 

A.  Repeat  that  question.  I'm  not  sure. 

Q.  Right.  When  the  Net-Centric  Diplomacy  Database  was  put  on 
SIPRNET,  made  available  on  SIPRNET,  the  Department  of  State  did  not 
have  any  individual  user  level  authentication  or  authorization 
mechanisms  in  place.  Is  that  correct? 

A.  That's  correct.  Yes,  it  wasn't  required  to  view  or  print 
documents . 

Q.  Basically  the  State  Department  relied  upon  the  end  users  of 
the  data,  in  this  case  the  military,  to  guard  against  any  abuse? 

A.  That's  correct. 

Q.  The  State  Department's  view  on  the  Net-Centric  Diplomacy 
Database  was  that  it  was  the  responsibility  of  the  receiving  agencies 
to  insure  that  information  was  handled,  stored  and  processed  in 
accordance  with  U.S.  Government  procedures? 

A.  Yes.  And  that  was  true  with  the  legacy  messaging  systems 
as  well,  it's  just  the  same  type  of  practice  was  carried  over. 

Q.  And  because  it  was  the  responsibility  of  the  receiving 
agency,  the  Net-Centric  Diplomacy  Database  was  not  designed  with 
access  controls  as  a  priority? 
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1  A.  I  can't  say  that  that  was  a  priority  or  not  a  priority,  it 

2  just  was  not  designed  with  that. 

3  Q.  Well,  in  fact,  the  way  it  was  designed  was  the  State 

4  Department  relied  upon  other  agencies.  If  you  gave  somebody  access 

5  to  SIPRNET,  then  you've  done  the  vetting  or  whatnot  to  insure  that 

6  they  had  proper  access.  Is  that  correct? 

7  A.  Well,  certainly  for  State  Department  users.  I  mean  the 

8  Secret  clearance  is  required  to  have  access  to  ClassNet  in  the 

9  Department  of  State  world  or  SIPRNET,  so,  yes,  there  was  a  certain 


10 

amount  of 

vetting 

taking  place  and  those 

types  of  things  and  we  did 

11 

not  put  additional 

.  controls  beyond  that. 

12 

Q. 

Right . 

My  question  is  limited 

just  simply  to  the  other 

13 

agencies . 

14 

A. 

Okay. 

15 

Q. 

So  once 

the  State  Department  put  Net-Centric  Diplomacy 

16  Database  on  the  SIPRNET,  they  relied  upon  other  agencies  to  control 

17  who  would  or  would  not  have  access  to  SIPRNET? 

18  A.  That's  correct. 

19  Q.  And,  likewise,  they  relied  on  other  agencies  to  put  any 

20  access  limitation  or  requirements  to  SIPRNET,  you  relied  upon  other 

21  agencies  to  do  that? 

22  A.  Right.  But,  again,  understanding  that  NCD  was  a  web-based 

23  type  of  application,  so  I  don't  believe  it  was  limited  at  all.  If 
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you  had  access  to  SIPRNET,  you  had  that  Secret  clearance,  you  were 
given  authorization  to  use  SIPRNET,  then  by  default  you  would  have 
access  to  NCD. 

Q.  And  that's  exactly  what  I  was  going  to  say.  So  once  you  — 
Once  the  other  government  agency  said  you  had  access  to  SIPRNET  and 
approved  of  that,  then  there  were  no  individual  access  restrictions 
on  Net-Centric  Diplomacy  Database? 

A.  As  far  as  viewing  and  printing  messages,  no. 

Q.  Now,  when  you  talked  about  your  experience  of  using  the 
Net-Centric  Diplomacy  Database,  you  talked  about,  you  know,  I  went 
there,  I  clicked  and  I  opened  something  and  I  printed  it. 

A.  Uh-huh.  That's  correct. 

Q.  Did  you  actually  ever  do  that? 

A.  Yes,  I  actually  did. 

Q.  And  - 

A.  And  the  typical  trick  for  something  like  that  is  I  go  out 
and  search  for  my  own  name,  I  do  that,  or  also  for  other  events  if 
there  was  a  particular  issue,  so  what's  being  reported  on  Iraq  for 
right  now,  for  example. 

Q.  And  so  when  you  did  that,  could  you  open  multiple  —  once 
you  had  Net-Centric  Diplomacy  Database  opened,  could  you  open 
multiple  Windows  to  have  multiple  cables  up  at  one  time? 
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A.  Multiple  Windows?  I  mean  it's  the  same  way  if  I  open 
something  I  believe  today  it  would  go  down  to  the  bottom  ribbon  bar 
in  the  Internet  Explorer. 

Q.  Sure.  But  like  —  What  I'm  saying  essentially,  and  we  can 
—  let's  keep  it  within  the  Net-Centric  Diplomacy  Database  and  keep 
it  with  your  experience.  If  you  opened  up  --  you  got  a  query  and 
you  have  ten  cables  come  up  and  you  open  up  number  one,  could  you 
then  minimize  that  or  move  it  to  the  side  and  open  up  two  as  well  to 
see  one  and  two? 

A.  Yes. 

Q.  And  if  you  had  multiple  tabs  open,  could  you  then  decide 
which,  if  any,  to  print? 

A.  Yes. 

Q.  Or  did  you  have  to  close  them  all  down  to  print  one? 

A.  No.  You  would  go  to  that  window  and  print  from  there. 

Q.  Now,  with  regards  to  the  Net-Centric  Diplomacy  Database, 

because  it  was  available  to  anyone  on  the  SIPRNET,  did  the  State 
Department  put  out  any  sort  of  information  to  other  agencies  saying 
how  you  had  to  access  it,  any  sort  of  restrictions  on  how  you 
accessed  or  - 

A.  I'm  not  aware  of  any. 
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Q.  If  another  agency  permitted  a  user  to  access  it  in  a 
particular  manner  or  particular  number  of  cables,  was  that  anything 
that  the  State  Department  was  monitoring  or  overseeing? 

A.  No. 

Q.  My  understanding,  and  you  tell  me  if  you  know  this,  each 
cable  on  the  Net-Centric  Diplomacy  Database  had  kind  of  a  warning 
banner.  Are  you  aware  of  that? 

A.  I'm  not  surprised  by  that.  I  don't  have  really  —  I  don't 
recall  exactly  what  that  warning  banner  would  state,  but  that's 
pretty  standard  procedure. 

Q.  All  right.  Just  so  I  know  the  testimony,  I'm  not  going  to 
ask  you  to  tell  me  that  verbatim.  But  are  you  aware  whether  or  not  a 
cable  had  a  warning  banner  on  it? 

A.  I  have  been  shown  that  they  did  have  warning  banners  on 
them,  yes. 

Q.  And  within  that  banner,  do  you  recall  whether  or  not  any 
said  there  was  a  particular  restriction  on  the  manner  of  downloading 
the  cables? 

A.  I'm  not  aware  of  that. 

Q.  Was  anything  in  the  banner  that  ever  said  that  you  were 
limited  in  some  way  to  just  click,  opening  and  saving? 

A.  No. 
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Q.  All  right.  Was  there  anything  in  the  banner  that  said  that 
you,  a  user,  was  restricted  from  automating  the  process  of  click, 
open  and  saving? 

A.  No.  It  says  it's  for  authorized  purposes  is  typically  what 
the  banner  is  saying  on  that  case. 

Q.  So  that  kind  of  goes  back  to  the  idea  of  if  you  were 
authorized  to  go  there  and  you  were  doing  it  for  some  reason  or 
whatnot,  then  you  were  authorized  to  go  on  the  Net-Centric  Diplomacy 
Database? 

A.  Uh-huh.  Yes. 

Q.  And  you  can  tell  me  if  you're  not  aware  of  this  and  then  I 
won't  ask  any  other  questions  on  this  part,  but  in  September  of  2012 
the  Office  of  Inspector  General  released  a  report  on  the  Net-Centric 
Diplomacy  Database.  Are  you  aware  of  that  report? 

A.  Only  since  you  showed  it  to  me. 

ATC [CPT  OVERGAARD] :  Objection,  ma'am.  Relevance. 

MJ:  I  will  give  a  little  latitude  here.  Go  ahead. 

A.  Only  since  you  showed  it  to  me  this  morning.  No,  I  was  not 
aware  of  that  report.  That  was  after  I  retired. 

Q.  Okay.  So  are  you  aware  of  any  sort  of  internal  review  by 
the  State  Department  as  to  the  design  flaws  of  the  Net-Centric 
Diplomacy  Database? 

A.  I  am  not. 
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Q.  Are  you  aware  of  any  sort  of  corrective  steps  that  the 
State  Department  was  or  was  not  considering  with  regards  to  the  Net- 
Centric  Diplomacy  Database? 

A.  No,  I  do  not  know  any  specifics  of  that. 

Q.  With  regards  to  the  database,  during  your  time  was  the  Net- 
Centric  Diplomacy  Database  ever  inaccessible  to  State  Department 
employees? 

A.  It  possibly  could  have  been  for  a  network  issue. 

Q.  Okay.  But  as  far  as  actually  having  the  Database  taken 
from  you,  was  the  Database  ever  removed  from  - 

A.  Not  to  my  knowledge. 

Q.  Okay.  So,  and  I'm  sorry,  I  just  want  to  complete  the 
question. 

A.  Okay. 

Q.  But  I  know  your  answer.  And  I'm  fine  with  your  answer. 

But  was  it  ever  removed  from  the  Department  of  State's  servers  or 
websites  where  you  no  longer  had  the  Database  on  your  servers? 

ATC [CPT  OVERGAARD] :  Ma'am,  I'd  just  ask  for  a  time  restriction 
on  this  for  relevance. 

MJ:  Overruled. 

A.  Again,  please. 


9087 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


9 


Q.  Sure.  So  from  your  time  when  you  were  there,  are  you  aware 
of  any  time  where  the  Net-Centric  Diplomacy  Database  was  removed  from 
the  servers  to  where  it  was  no  longer  accessible? 

A.  During  my  time  there,  no,  that's  correct. 

Q.  And  when  did  your  time  end? 

A.  I  retired  in  April  of  2011,  but  I  was  on  extended  medical 

leave  from  October  through  February. 

Q.  Of  2011? 

A.  Uh-huh.  That's  correct.  October  2010  through. 

Q.  So  basically  your  knowledge  would  go  up  to,  what  date  would 


you  say? 

A.  Really  when  I  left  in  October  for  my  medical  leave. 
Q.  Of  20? 

A.  10. 


Q.  So  up  until  October  of  2010,  to  your  knowledge,  the  Net- 
Centric  Diplomacy  Database  was  never  removed  from  the  servers? 

A.  That's  correct,  it  was  never  removed  from  the  Department  of 
State  access. 

Q.  You  talked  a  little  bit  about  cables  and  I'd  like  to  ask 
you  some  more  information  about  SIPDIS  cables,  okay? 


A.  Uh-huh.  Yes. 

Q.  And  if  there's  anything  you  don't  know,  just  let  me  know 
and  we'll  go  over  that.  With  regards  to  uploading  cables,  I  think 
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you  said  that  SIPDIS  cables  would  go  in  once  they  were  reviewed  into 
the  Net-Centric  Diplomacy  Database.  Is  that  right? 


A. 

Uh-huh.  That's  correct. 

Q. 

And  then  certain  users  had  the  ability  if  they  had  a 

particular  account  to  actually  upload  cables  into  SIPDIS  as  well? 


A. 

That's  correct. 

Q. 

Could  you  tell  us  a  little  bit  more  about  that  second  part? 

Like  who 

are  the  —  who  would  have  that  type  of  account? 

A. 

Anyone  with  Intellipedia  type  of  users  would  have  had  that 

type  of  account. 

Q.  And  when  they  uploaded  something  to  the  Net-Centric 
Diplomacy  Database,  was  there  any  sort  of  review  to  avoid  spillage? 


A. 

I  don ' t  know . 

Q. 

When  they  uploaded  that,  was  there  any  sort  of  guidance  put 

out  that 

only  those  cables  that  would  qualify  for  SIPDIS  should  be 

uploaded 

to  the  Net-Centric  Diplomacy  Database? 

A. 

Overt  guidance  to  that  effect,  I  don't  know  that  that  would 

have  been  done  necessarily  as  well.  I  mean  it  was  —  The  NCD  had  its 
disclaimers  associated  with  it,  so  I  couldn't  say.  I  never  did  an 
upload  of  a  document,  so  I  really  couldn't  speak  too  much  to  this 


aspect . 

Q. 

Okay.  So  my  understanding  then  from  your  testimony  though 

when  like  some  posts  would  put  a  caption  SIPDIS  - 
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A.  Yes. 

Q.  -  it  would  come  into  the  State  Department  and  get  a 

review  basically  to  make  sure  there's  no  spillage  issues? 

A.  There  was  a  system  review  that  would  look  for  that,  yes. 

Q.  And  then  also  to  remove  any  PII  information,  personal 
identifying  information? 

A.  It  was  identified  and  put  off  to  its  own  gueue . 

Q.  And  then  it  would  go  into  SIPRNET  after  that  review? 

A.  That's  correct. 

Q.  So  if  that  were  the  process,  do  you  know  if  —  if  I'm  a 
person  who's  got  Intellipedia  and  I'm  uploading  a  cable  to  the  Net- 
Centric  Diplomacy  Database,  is  there  anything  on  this  side  that  would 
do  a  review? 

A.  I  don't  know. 

Q.  Okay.  So  that  could  happen  and  you  just  wouldn't  know? 

A.  That's  correct. 

Q.  Now,  with  regards  to  SIPDIS,  my  understanding  of  that  term, 
and  tell  me  if  you  agree,  is  SIPRNET  distribution  would  mean  that 
this  is  the  type  of  information  that's  appropriate  to  share  with 
anybody  who  would  have  access  to  the  SIPRNET? 

A.  That's  correct. 
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Q.  And  the  majority  of  these  cables  then,  the  idea  would  be 
anyone  —  well,  actually  before  I  ask  that.  Do  you  know  how  many 
people  had  access  to  SIPRNET? 

A.  I  don't  know,  no. 

Q.  In  your  mind  is  that  a  very  few  people  or  quite  a  bit? 

A.  That's  relative  to  what,  you  know,  it's  a  lot  compared  to 

Department  of  State  users  because  we  only  had  approximately  20,000 
users  in  the  Department  of  State  with  access  to  ClassNet  and  SIPRNET. 
So  it  was  some  number  in  excess  of  that. 

Q.  All  right.  So  then  when  somebody  from  the  Department  of 

State  was  putting  a  SIPDIS  cable  on  the  Net-Centric  Diplomacy 
Database,  I  imagine  there  was  guidance  put  out  what  that  meant,  that 
SIPDIS  caption? 

A.  Multiple  times  we  sent  telegrams  to  the  field  to  drafting 
officers  specifying  this  is  appropriate  for  SIPDIS  dissemination, 
this  is  not  appropriate. 

Q.  So  knowing  that  it's  going  to  go  to  an  audience  that's  in 
excess  at  least  of  what  the  State  Department's  audience  would  be  of 
20,000,  you  would  agree  with  me  that  the  type  of  information  that's 
put  in  there  shouldn't  be  our  nation's  most  closely  held  secrets? 

A.  I  don't  know  if  that's  necessarily  the  case.  I  mean, 
again,  it' s  - 


9091 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


Q.  Well  it  shouldn't  be  any  Top  Secret  information,  would  you 
agree  with  that? 

A.  No.  Because  it's  on  the  Secret  high  network. 

Q.  Exactly.  And  are  you  aware  of  other  more  sensitive  tags 

such  as  StateDis,  NoDis,  ExDis? 

A.  Yeah,  StateDis  I  believe  is  obsolete  at  this  point.  NoDis 
is  no  distribution,  basically  they  didn't  want  an  electronic 
distribution  of  that  although  later  on  it  was  allowed.  Any  number  of 
captions,  ExDis  was  another  one  as  well,  executive  distribution. 

Q.  Let's  go  through  each  one  of  these  just  - 

A.  Okay. 


Q.  -  one  by  one  for  a  moment.  What  does  NoDis  stand  for? 

A.  No  distribution. 

Q.  And  my  understanding  is  this  captioning  is  for  the  messages 
of  the  highest  sensitivity  between  either  the  President,  Secretary  of 
State  - 


A.  Or  it  might  be  that  we  are  sending  something  embarrassing 
about  the  Department  of  Defense,  something  that  should  not  be  shared. 
Q.  And  ExDis,  what  does  that  stand  for? 

A.  Executive  distribution,  so  that  would  typically  be 
conversations  between  Secretary  of  State  and  his  or  her  Ambassadors. 
Q.  And  what  about? 
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A.  StateDis  was  State  distribution  only  when  that  was  still  in 

use . 

Q.  And  how  about  Roger,  are  you  familiar  with  that? 

A.  Roger  is  Intelligence  distribution. 

Q.  And  TerRep,  are  you  familiar  that  one? 

A.  TerRep,  it's  terrorist  type  of  information  reporting, 
terrorist  reporting. 

Q.  And  you  would  agree  with  me  each  of  those  captions  makes  it 
a  much  more  restrictive  audience  that  can  see  the  cable? 

A.  Yes.  I  mean  that's  the  purpose  of  those  captions  on  there. 

Q.  If  you  had  a  cable  that  had  SIPDIS  without  any  other  more 

restrictive  caption,  it  would  not  be  put  on  the  Net-Centric  Diplomacy 
Database? 

A.  It  should  not  be  put  on  the  Net-Centric  Diplomacy  Database, 
yes.  Certainly  in  the  case  of  ExDis  and  NoDis.  I'm  not  sure  about 
TerRep.  I'm  not  sure  that  that  wouldn't  be  put  out  into  Net-Centric 
Diplomacy  Database.  Roger  channel  would  not  be  placed  out  there  as 
well.  TerRep  I'm  not  sure  of. 

Q.  Now,  with  regards  to  cables,  and  you  can  tell  me  if  you 
don't  know  this,  I  just  want  to  get  an  idea  of  how  many  cables  we're 
talking  about  that  might  get  to  SIPDIS.  Do  you  know  how  many  cables 
roughly  in  a  year  the  State  Department  would  do? 
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A.  At  the  time  when  I  was  running  the  message  and  systems 
office  I  tracked  it  very  closely  and  at  that  time  when  I  left  there 
in  2004/2005  timeframe,  we  were  doing  around  300,000  messages  a  year. 

Q.  Okay.  So  300,000  a  year  of  just  cables.  Is  that  correct? 

A.  That's  correct. 

Q.  And  would  you  agree  with  me  that  roughly  about  75  percent 
of  those  were  just  administrative  in  nature? 

A.  That's  the  number  that  we  used,  yes,  75  percent  were 
administrative . 

Q.  Do  you  have  an  idea  of  how  many  cables  per  year  once  we 
have  the  SIPDIS  caption  roughly  were  being  created? 

A.  No,  I  do  not  know  that  number.  I  would  have  had  access  to 
that  number  at  one  point,  but  I  don't  recall  what  that  number  was. 

Q.  But  whatever  number  that  would  be,  that  would  be  the 
percentage  I  guess  of  the  300,000  cables? 

A.  Uh-huh. 

CDC [MR .  COOMBS]:  Mr.  Wisecarver,  thank  you.  I  don't  have  any 

further  questions  for  you. 

MJ:  Redirect. 

ATC [CPT  OVERGAARD] :  Yes,  ma'am. 

[END  OF  PAGE 


9094 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


O 


REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  Mr.  Wisecarver,  on  cross  you  talked  about  other  than  SIPDIS 
cables  should  not  be  on  NCD  beside  SIPDIS? 

A.  That's  correct. 

Q.  But  could  they  be? 

A.  Through  that  uploading  process  or  through  some  type  of 
human  error,  yes,  they  could  be. 

Q.  And  how  was  NCD  originally  populated? 

A.  It  was  actually  through  a  scanning  process.  We  sent  teams, 
at  that  time  I  was  not  responsible  for  the  system,  but  the  way  the 
Resource  Management  Bureau's  Program  Office  did  it  at  that  time  was 
they  sent  teams  out  to  the  posts  overseas,  they  employed  thousands  of 
foreign  service  officers  and  other  members  of  the  post  and  they  would 
go  through  the  filing  cabinets,  they  would  go  through  the  five-drawer 
filing  cabinets  and  primarily  at  that  time  they  were  focused  on 
biographical  data  and  making  that  available. 

Q.  So,  there  could  be  —  So  for  the  historic  or  for  the  older 
cables  those  would  have  been  manually  scanned  in  and  uploaded? 

A.  That's  correct. 

Q.  So  those  wouldn't  be  marked  SIPDIS  either? 

A.  No,  they  would  not  have  been.  That  would  have  been  pre- 
SIPDIS  creation  of  that  caption. 
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Q.  And  that  —  Does  that  date  back  to  when  telegrams  were 
first  started? 

A.  Yeah.  Telegrams  go  back  a  long  ways,  so  potentially  if 
someone  had  one  of  these  old  telegrams  in  their  filing  cabinet,  it 
could  have  been  scanned. 

Q.  And  how  far  back,  do  you  know,  does  that  go? 

A.  Telegrams  go  back  to  World  War  II  timeframe  and  probably 
even  —  I  mean  there's  the  old  cable  system  that  goes  back,  this  is 
based  on  Telex  type  of  technology,  so  this  goes  back  to  the  turn  of 
century. 

Q.  Okay.  You  also  mentioned  that  there  was  —  on  cross  that 
there  was  a  —  there's  a  process  to  remove  PII. 

A.  Uh-huh. 

Q.  What  was  that  process? 

A.  Going  through  and  doing  searches  for  strings  like  a  Social 
Security  Numbers  three  digits  hyphen  two  digits  and  then  three 
digits.  So  looking  for  certain  types  of  strings,  characters,  and 
then  those  would  be  identified  and  then  purged  if  they  were  deemed  to 
be  privacy  related  information.  Same  thing  with  credit  card  numbers 
as  well. 

Q.  Was  it  automated  or  did  a  person  go  through  and  look? 

A.  No.  It  had  to  be  manually. 

Q.  Okay. 
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A.  It  was  a  manual  search. 

Q.  And  do  you  know  was  PI I  always  removed? 

A.  Every  attempt  was  made  to  remove  it. 

Q.  So  every  attempt  was  made.  You  also  mentioned  on  cross 
that  Department  of  State  relied  on  other  agencies  to  monitor  their 
use  of  NCD.  What  —  Why  were  there  no  technical  restrictions  put  in 
place  on  NCD? 

MJ:  Yes? 

CDC [MR.  COOMBS]:  I'm  going  to  object  again.  I  think  at  this 

point  the  witness  has  already  established  that  he  had  no  design 
knowledge  of  NCD  and  that  this  would  again  require  the  witness  to  be 
an  expert  to  talk  about  - 

MJ:  What  was  your  question? 

ATC [CPT  OVERGAARD] :  If  he  knows,  based  on  what  was  listed  on 
cross  about  Department  of  State  relying  on  other  agencies  to  monitor, 
why  there  was  no  technical  restrictions? 

MJ:  Do  you  know  the  answer  to  that? 

WIT:  It  would  inhibit  the  sharing  of  information,  be 
administratively  difficult  to  manage  if  not  impossible. 

MJ:  I'm  going  to  overrule  that,  go  ahead. 
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Questions  by  the  assistant  trial  counsel  [CPT  OVERGAARD] : 

Q.  Did  you  know  in  your  use  of  NCD,  was  there  a  mechanism  that 
digitally  allowed  users  to  download  or  print  multiple  cables  at  a 
time? 

A.  I'm  not  aware  of  any  such  capability  or  function. 

ATC [CPT  OVERGAARD]:  One  moment,  please. 

Q.  Did  PII  include  names? 

A.  No.  Well,  it  would  include  —  names  would  be  a  part  of  it. 
Name,  associated  with  a  Social  Security  Number  and  date  of  birth. 

Q.  And  was  that  process  100  percent? 

A.  It's  highly  doubtful. 

ATC [CPT  OVERGAARD]:  All  right.  Thank  you,  sir. 

MJ:  All  right.  Anything  final  on  the  other  side? 

CDC [MR.  COOMBS]:  Nothing,  Your  Honor. 

MJ:  I  have  a  couple  of  questions  for  you. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  Based  on  that  last  question,  in  these  cables  that  were 
reviewed  to  go  on  NCD,  were  the  names  purged  or  not? 

A.  No,  ma'am,  names  were  not  purged. 

Q.  You  testified  earlier  that  there  were  cables  that  went  out 
to  the  Bureaus  in  the  field  on  what  should  or  shouldn't  be,  I  guess 
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with  criteria  on  what  should  or  shouldn't  be  on  NCD.  What  were  the 
criteria  that  were  put  out? 

A.  Information  that  should  be  broadly  shared,  information  for 
the  war  fighter,  information  of  interest.  As  long  as  it  didn't 
violate  privacy  guidelines. 

MJ:  Any  follow-up  based  on  that? 

ATC [CPT  OVERGAARD] :  No,  ma'am. 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  Temporary  over  permanent  excusal? 

ATC [CPT  OVERGAARD]:  Temporary,  ma'am. 

MJ:  All  right. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

TC [MAJ  FEIN] : Ma ' am,  the  United  States  offers  to  read  Miss 
Thian's  Stipulation  into  evidence. 

MJ:  Proceed. 

TC [MAJ  FEIN]:  Ma'am,  this  is  Prosecution  Exhibit  150. 
Stipulation  of  Expected  Testimony  for  Miss  Tasha  Thian,  dated  16  June 
2013. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  Ms.  Tasha  M.  Thian  were  present  to  testify 
during  the  merits  and  pre-sentencing  phases  of  this  court-martial, 
she  would  testify  substantially  as  follows: 
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I  am  the  Agency  Records  Officer,  Office  of  Information 
Programs  and  Services,  U.S.  Department  of  State.  In  this  position,  I 
set  policy  and  procedures  for  the  management  of  records  within  the 
Department.  I  am  the  Department  Official  responsible  for  the 
Department  of  State  records.  I  am  the  head  of  a  division  of  25 
employees.  The  duties  of  these  employees  include  records  analysis, 
website  management,  records  scheduling  activities,  and  records 
review.  I  am  a  certified  records  manager  with  31  years  of  service 
with  the  Federal  Government.  I  am  responsible  for  the  Foreign 
Affairs  Manual  and  Handbook  sections  on  records  management.  I  have 
been  the  Agency  Records  Officer  since  August  2007. 

A  cable  is  an  official  message  of  the  Department  of  State. 
Cables  can  be  sent  between  posts  or  between  posts  and  State 
Department  Headquarters.  When  a  cable  is  sent,  a  record  copy  of  the 
cable  is  automatically  captured  in  the  State  Archiving  System  (SAS) . 
The  SAS  contains  classified  cables  at  the  Secret  level  and  below 
since  1973.  There  are  approximately  400,000  new  Department  of  — 
Department  cables  stored  in  the  SAS  annually. 

Cables  are  identified  by  the  Message  Record  Number  (MRN) 
assigned  to  each  cable.  An  MRN  has  three  parts.  The  first  part  of 
the  MRN  is  the  two-digit  year  the  cable  was  created.  The  second  part 
is  the  name  of  the  post  that  created  the  cable.  The  third  part  is 
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the  sequence  number  of  the  cable.  For  example,  05Algiersl836  would 
be  the  1,836th  cable  sent  by  Embassy  Algiers  in  2005. 

I  reviewed  and  printed  directly  from  the  SAS  the  cables 
Bates  numbers:  00505328  through  00505808  listed  in  Prosecution 
Exhibit  151  for  Identification.  On  6  December  2012,  I  also  attested 
to  the  authenticity  of  these  cables  in  a  document  with  the  Bates 
numbers:  00527342  through  00527346.  This  authentication  memorandum 
was  written  on  Department  of  State  letterhead  and  accompanied  by  the 
Department  seal  and  the  Secretary's  signature  verifying  my  authority. 
With  this  memorandum,  I  attested  that  each  of  the  listed  records  was 
made  at  or  near  the  time  of  the  occurrences  of  the  matters  set  forth 
therein.  Each  record  was  made  by,  or  from  information  transmitted 
by,  people  with  knowledge  of  those  matters.  The  records  were  kept  in 
the  course  of  the  Department's  regularly  conducted  business 
activities,  and  it  was  the  regular  practice  of  such  business 
activities  to  make  these  records.  I  also  celiified  that  the  records 
listed  in  PE  151  for  Identification  are  true  copies  of  the  original 
records  contained  within  the  files  of  the  Department  of  State. 

PE  98  for  Identification  contains  the  Net-Centric  Diplomacy 
version  of  the  above  referenced  cables  and  the  same  cables  in 
Appellate  Exhibit  501.  The  formatting  of  the  cables  listed  in  PE  98 
for  ID  and  AE  501  is  different  than  the  cables  in  SAS,  but  the  text 
and  content  are  the  same. 
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Your  Honor,  the  United  States  moves  to  admit  Prosecution 
Exhibits  98  and  151  for  Identification  as  Prosecution  Exhibits  98  and 
151. 

CDC [MR .  COOMBS]:  No  objection,  ma'am. 

MJ:  All  right.  May  I  see  them?  Prosecution  Exhibit  151  for 

Identification  is  admitted.  Prosecution  Exhibit  98  for 
Identification  is  admitted.  Proceed. 

TC [MAJ  FEIN]:  Ma'am,  at  this  point  the  United  States  requests  a 
20-minute  recess  for  a  comfort  break  and  to  finalize  any  stipulations 
for  the  day. 

MJ:  All  right.  And  you  also  have  my  answer  to  the  question 

that  I  asked  earlier. 

TC [MAJ  FEIN]:  Yes,  ma'am,  I  will. 

MJ:  Anything  else  we  need  to  cover  before  we  recess? 

CDC [MR.  COOMBS] :  No,  Your  Honor. 

MJ:  Court's  in  recess  until  10  after  11. 

[The  court-martial  recessed  at  1057,  26  June  2013.] 

[The  court-martial  was  called  to  order  at  1136,  26  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  that  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
Court.  All  right.  Does  the  government  have  an  answer  to  my 
question? 
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ATC [CPT  MORROW]:  Yes,  Your  Honor.  The  two  Tweets  have  been 

marked  as  Prosecution  Exhibits  31  Alpha  and  32  Alpha  for 
Identification  and  we'd  offer  those  into  evidence,  subject  to  your 
ruling  on  the  evidence. 

MJ:  All  right.  Any  objection  from  the  defense? 

ADC [CPT  TOOMAN] :  The  same  objection  that  we've  discussed  at 

length,  Your  Honor. 

MJ:  All  right.  Captain  Morrow,  has  Special  Agent  Mander 

testified  that  the  Prosecution  Exhibits  31  Alpha  and  32  Alpha  are  the 
screen  images  of  the  images  that  he  pulled  from  the  Twitter  account? 

ATC [CPT  MORROW]:  We  believe  he  has.  Your  Honor.  We  believe 

he  testified  - 

MJ:  He  testified  that  he  saw  them.  He  didn't  testify  that  - 

ATC [CPT  MORROW]:  That  he  saw  them  about  a  year  ago,  that  he 

had  printed  them,  but  I'd  have  to  go  back  and  look  at  the  transcript. 

MJ:  Did  he  ever  connect  Prosecution  Exhibit  31  for 

Identification,  Alpha,  and  32  Alpha? 

ATC [CPT  MORROW]:  No,  he  has  not  made  that  connection.  We  can 

recall  him  for  that  purpose. 

MJ:  All  right.  When  did  you  plan  to  do  that? 

ATC [CPT  MORROW]:  Tomorrow,  Your  Honor.  Tomorrow  morning. 

MJ:  All  right. 
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TC [MAJ  FEIN]:  Ma'am,  also  for  the  record  reflect  the  accused 
and  Major  Hurley  are  currently  located  in  the  panel  box  to  review 
classified  material. 

MJ:  Okay.  All  right.  We  have  two  Stipulations  of  Expected 

testimony  at  issue? 

TC [MAJ  FEIN]:  Yes,  ma'am.  What's  been  marked  as  Prosecution 
Exhibits  162  Alpha  and  Bravo  for  Identification,  and  Prosecution 
Exhibits  163  Alpha  and  Bravo  for  Identification.  Alpha  are  the 
redacted  versions  and  bravo  are  the  original  classified  versions. 

MJ:  All  right.  May  I  see  them,  please?  All  right.  PFC 

Manning,  we've  gone  through  this  inquiry  a  few  times  with  respect  to 
other  stipulations  of  expected  testimony.  I  have  before  me 
Prosecution  Exhibit  162  Alpha  which  is  the  Stipulation  of  Expected 
Testimony  for  Mr.  Albert  Janek,  and  162  for  —  Prosecution  Exhibit 
162  Bravo  for  Identification  which  is  the  classified  version  of  that 
exhibit.  And  I  also  have  Prosecution  Exhibit  163  for  Identification, 
the  Stipulation  of  Expected  Testimony  of  Mr.  Gerald  Mundy,  and 
Prosecution  Exhibit  163  B  which  is  the  classified  version  of  that 
stipulation  of  expected  testimony.  Do  you  have  a  copy  of  both  the 
classified  and  redacted  versions  of  Prosecution  Exhibits  162  and  163? 

ACC:  Yes,  Your  Honor. 

MJ:  Did  you  sign  those  stipulations  of  expected  testimony? 

ACC:  Yes,  Your  Honor,  I  did. 
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MJ:  Before  signing  them,  did  you  read  them  thoroughly? 

ACC:  Yes,  ma'am. 

MJ:  Do  you  understand  the  contents  of  the  stipulations? 

ACC:  Yes,  ma'am. 

MJ:  Did  your  defense  counsel  explain  the  stipulations  to  you? 

ACC:  Yes,  ma'am. 

MJ:  Do  you  understand  you  have  an  absolute  right  to  refuse  to 

stipulate  to  the  contents  of  either  of  these  documents? 

ACC:  Yes,  ma'am. 

MJ:  Now,  you  should  enter  into  a  stipulation  only  if  you 

believe  it's  in  your  best  interest  to  do  that,  do  you  understand 
that? 


ACC:  Yes,  ma'am. 

MJ:  Now,  once  again,  this  is  a  stipulation  of  expected 

testimony,  and  what  that  is  is  when  counsel  for  both  sides  and  you 
agree  to  a  stipulation  of  expected  testimony,  you  are  agreeing  that 
for  Prosecution  Exhibit  162  Alpha  and  Bravo,  if  Mr.  Albert  Janek  were 
here  testifying  in  court,  and  for  Prosecution  Exhibit  163  Alpha  and 
Bravo,  if  Mr.  Gerald  Mundy  were  here  testifying  in  court,  you're 
agreeing  that  this  stipulation  of  expected  testimony  is  what  each  of 
these  witnesses  would  say. 

ACC:  Yes,  Your  Honor. 
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MJ:  The  stipulation  does  not  admit  to  the  truth  of  the  person's 

testimony,  the  stipulation  can  be  contradicted,  attacked  or  explained 
in  the  same  way  as  if  the  person  who  was  testifying  here  in  court  on 
the  witness  stand.  Now  knowing  what  I  —  Do  you  understand  all  that? 

ACC:  Yes,  Your  Honor. 

MJ:  Now,  knowing  what  I've  told  you  and  what  your  defense 

counsel  has  told  you  about  these  stipulations,  do  you  still  desire  to 
enter  into  them? 

ACC:  Yes,  ma'am. 

MJ:  Do  counsel  concur? 

ADC [MAJ  HURLEY]:  Yes,  ma'am. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  All  right.  Prosecution  Exhibits  162  Alpha  and  162  Bravo, 
and  163  Alpha  and  163  Bravo  are  admitted.  All  right.  Do  we  have 
someone  available  to  retrieve  the  classified  portions? 

TC [MAJ  FEIN]:  Ma'am,  at  this  point  they  can  be  left  there  if 

the  accused  and  Major  Hurley  can  go  back  to  their  desk  and  they'll  be 

monitored  until  we  recess. 

MJ:  All  right.  PFC  Manning  and  Major  Hurley,  why  don't  you 

return  to  the  defense  table?  Is  the  government  ready  to  proceed? 

TC [MAJ  FEIN]:  Yes,  ma'am.  There's  also  one  other  correction 

that's  been  made  by  the  parties.  Your  Honor,  on  a  Stipulation  of 
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Expected  Testimony,  this  is  Prosecution  Exhibit  149.  Stipulation  of 
Expected  Testimony  from  Mr.  James  Downey  dated  17  June  2013. 

MJ:  May  I  see  it,  please? 

TC [MAJ  FEIN]:  Yes,  Your  Honor. 

MJ:  All  right.  Please  describe  the  change. 

TC [MAJ  FEIN]:  Yes,  ma'am.  On  Page  3,  Your  Honor,  the  top  right 
where  the  Prosecution  Exhibit  PE  number  was  originally  inked  in,  it 

was  152.  It  has  been  changed  to  PE  164  for  Identification. 

MJ:  All  right.  And  I  see  three  sets  of  initials  next  to  it. 

Are  those  the  initials  of  counsel  and  PFC  Manning? 

ADC [MAJ  HURLEY]:  Yes,  ma'am. 

MJ:  So  you  concur  with  the  change? 

ADC [MAJ  HURLEY]:  Yes,  ma'am. 

MJ:  And  you  do  as  well? 

ACC:  Yes,  Your  Honor. 

MJ:  All  right.  Is  there  anything  else  we  need  to  address 

before  we  proceed? 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  Has  that  Stipulation  of  Expected  Testimony  been  read  in  the 

record  already? 

TC [MAJ  FEIN]:  It  has  not.  Your  Honor,  it  will  be  this  morning. 
Your  Honor,  the  United  States  offers  to  be  read  into  the  record  the 
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Stipulation  of  Expected  Testimony  of  Mr.  Albert  Janek,  Prosecution 
Exhibit  162  Alpha. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  Mr.  Albert  Janek  were  present  to  testified 
during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

I  currently  work  for  the  Department  of  State,  Under 
Secretary  of  Management,  Office  for  Policy,  Right-Sizing  and 
Innovation,  as  the  Direct  of  Continuity  at  the  United  States  Embassy 
in  Kabul,  Afghanistan.  In  this  capacity,  I  manage  the  containment 
and  movement  of  information  at  our  office  in  Kabul.  I  have  worked  at 
the  Department  of  State  for  11  years  in  various  Information 
Technology  (IT)  positions.  Before  joining  Department  of  State,  I 
worked  in  IT  for  5  years  for  businesses  and  a  university.  I  possess 
numerous  certifications,  including  CISSP,  CAP,  MCSE,  Security  Plus,  A 
Plus,  and  Net  Plus.  I  was  also  a  Microsoft  Certified  Trainer. 

From  2009  to  2012,  I  was  a  Special  Projects  Manager  within 
the  Messaging  Systems  Products,  Messaging  Systems  Office  in  the 
Bureau  of  Information  Research  Management,  at  the  Department  of 
State.  In  this  Capacity,  I  was  responsible  for  the  management  of 
certain  Department  of  State  Messaging  Systems,  including  Net-Centric 
Diplomacy  server  logs.  The  NCD  server  logs  track  the  Internet 
Protocol  (IP)  addresses  of  a  user  requesting  our  resources,  as  well 
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as  the  time  and  date  that  request  was  made,  whether  the  user 
retrieved  the  resource  or  not,  and  the  metadata  associated  with  that 
connection.  Metadata  is  data  about  data.  Structural  metadata 
provides  information  about  the  design  of  data  structures.  It  is 
essential  data  about  how  the  data  itself  is  contained.  Descriptive 
metadata  is  data  that  provides  information  about  the  application  of 
data,  or  the  data  content.  Accordingly,  these  server  logs  describe 
the  connection  between  two  systems  on  the  SIPRNET. 

A  log  is  created  any  time  a  Hypertext  Transfer  Protocol 
(HTTP)  talks  via  the  Transmission  Control  Protocol  (TCP)  and 
successfully  receives  information.  HTTP  is  the  foundation  of  data 
communication  for  the  World  Wide  Web.  It  consists  of  packets  of 
data,  which,  when  connected  wirelessly  or  via  Ethernet  cable,  creates 
a  network  for  communication.  TCP  provides  reliable,  ordered,  error- 
checked  delivery  of  a  stream  of  data  between  programs  running  on 
computers  connected  to  the  Internet.  Simply  put,  if  TCP  is  a 
highway,  HTTP  constitutes  the  lanes  on  the  highway.  The  server  logs 
track  the  data  entering  and  exiting  a  server  which  exists  on  a 
classified  network  platform  between  the  Department  of  Defense's 
SIPRNET  and  the  State  Department's  CLASSNET.  Specifically,  the  NCD 
Server  is  located  in  what  is  commonly  known  as  the  "DMZ"  between 
SIPRNET  and  the  Department  of  State  CLASSNET.  Department  of  State 
CLASSNET  is  the  Department's  own  version  of  SIPRNET,  a  classified 
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network  that  is  accredited  to  hold  Secret  information  and  data.  I  am 
aware  that  the  State  Department  has  a  "captioning"  system  for  cables. 
Captions  limit  the  distribution  of  cables.  A  cable  could  be 
captioned  "STADIS"  for  distribution  to  only  State  Department 
personnel.  It  could  be  captioned  "NODIS"  for  distribution  only  to 
the  intended  receipt.  During  the  time  I  worked  there,  a  cable  could 
also  be  captioned  "SIPDIS"  for  distribution  on  the  SIPRNET . 

I  know  that  the  logs  —  that  these  logs  are  accurate 
because  only  three  individuals,  including  myself,  had  access  to  them. 
To  alter  the  data,  an  individual  would  have  to  hack  into  the  server 
operating  system  to  manipulate  the  logs.  The  logs  are  reviewed  about 
once  a  quarter,  typically  to  see  the  number  of  organizations  that  are 
using  our  products.  A  log  is  only  created  upon  a  successful  request 
sent  to  the  server.  If  there  is  an  error,  such  as  "Page  Not 

Available,"  the  log  is  not  created. 

I  first  became  involved  in  this  case  when  Special  Agent 
Ellis  and  Special  Agent  Bowen  of  the  U.S.  Army  Criminal  Investigation 
Command  (CID)  requested  that  I  assist  them  in  the  collection  of 
evidence  from  the  server  logs  of  our  Net-Centric  Diplomacy  Database. 
On  15  June  2012,  I  assisted  them  in  getting  access  to  the  information 
by  escorting  the  agents  to  necessary  log-in  terminal  in  the 
Department  of  State  Server  Room  and  logging  them  into  the  system 
using  my  special  permissions.  I  oversaw  the  agents  as  they  copied 
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the  Department  of  State  server  logs  from  January  2009  to  June  2009, 
and  from  30  April  2012  to  15  June  2012.  Agent  Ellis  used  a  forensic 
tool  to  pull  and  compress  all  the  logs  into  .zip  files.  The  CID 
agents  saved  the  logs  as  "log. zip"  and  "newlogs.zip"  on  a 
forensically  wiped  thumb  drive.  The  thumb  drive  was  marked  Secret. 

I  signed  the  thumb  drive  over  to  SA  Ellis  on  a  U.S.  Department  of 
State  Bureau  of  Diplomatic  Security  Evidence  Receipt/Chain  of  Custody 
(Cyber  Security  Incident  Program)  form.  On  that  form,  I  recorded  the 
thumb  drive  of  the  files  as  "files,  ZIP,  containing  logs,  filename 
logs . zip  and  newlogs.zip,  in  the  root  of  D:\,  hashed  before 
acquisition  and  hashed  copies,  1232,  15  June  2012,  KNE."  The  data  in 
these  files  displays  as  text.  Prosecution  Exhibit  97  for 
Identification  is  a  copy  of  these  logs. 

If  you  look  at  what  has  been  marked  as  PE  97  for 
Identification,  you  can  tell  the  source  IP  address,  the  date/time 
group  that  the  server  responded  to  that  source  IP' s  request  of  the 
system,  what  the  IP  address  was  requesting,  information  from  the  CPU 
of  the  source  IP  address,  the  protocol,  and  the  search  engine  and 
browser  used  by  the  source  IP  address. 

Below  is  an  explanation  of  the  HTTP  logs  by  column  and 
using  a  specific  line  pulled  from  acces_log. 2010-05-04 . 
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The  entry  "22.225.41.22"  is  the  sourse  IP  address.  This 
address  indicates  the  IP  address  of  the  computer  where  a  user  is 
requesting  the  information. 

The  entry  04 /May/2012 : 04 : 34+0000  is  the  time  and  date 
group,  which  is  given  in  Zulu  Time.  The  time  and  date  group  records 
when  the  computer  processes  the  request  from  the  sending  IP  address. 

HTTP/1.1  is  the  protocol,  which  is  discussed  above. 

The  entry  200  is  a  code  that  states  that  the  user's  request 
to  GET  and  access  the  document  was  successful. 

The  entry  98796  is  a  code  about  the  system  that  the  user  is 
connecting  from. 

The  entry  %20  means  that  a  space  exists  in  the  log. 

The  entry  Mozilla/5 . 0  tells  me  that  the  user  of  the 

22.225.41.22  IP  address  was  using  Version  5  of  the  Mozilla  browser. 

The  entry  Windows;  U;  Windows  NT  5.1;  en-US;  rv;  1. 9.1.6 
means  that  a  Windows  NT  workstation  was  being  used  by  the  user  of  the 

22.225.41.22  computer. 

The  entry  Gecko/20091201  Firefox/3 . 5 . 6  tells  me  that  the 

22.225.41.22  system  was  using  the  Firefox  browser. 

I  worked  on  the  NCD  Database  for  approximately  a  year.  To 
my  knowledge,  the  NCD  Database  operated  in  its  designed  manner  for 
the  entire  period.  In  the  2009  through  2010  timeframe,  to  my 
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knowledge,  there  was  never  any  directive  for  Department  of  State 
employees  to  refrain  from  using  the  NCD  Database. 

Your  Honor,  the  United  States  moves  to  admit  what  has  been 
marked  as  Prosecution  Exhibit  97  for  Identification  into  evidence  as 
Prosecution  Exhibit  97 . 

ADC [MAJ  HURLEY]:  Ma'am,  we  have  no  objection  to  that,  but  just 
to  make  clear,  there's  a  line  in  Paragraph  5  on  Page  2  of  the 
Stipulation  of  Expected  Testimony,  we  understood  Major  Fein  to  say  — 
the  sentence  is  about  midway  through  the  paragraph,  it  begins  I 
oversaw".  One  of  the  dates  listed,  we  understood  Major  Fein  to  say 
30  January  2010,  and  obviously  on  the  document  itself  is  30  April 
2010,  we  just  want  to  make  sure  —  and  it  may  have  been  a 
misperception  on  our  part,  but  just  to  make  that  clear. 

TC [MAJ  FEIN]:  I  can  reread  that  line.  Your  Honor. 

MJ:  Why  don't  you  go  ahead  and  do  that. 

TC [MAJ  FEIN]:  Yes,  ma’am.  So,  this  is  Page  2,  Paragraph  5, 

Your  Honor,  the  middle  of  the  paragraph.  "I  oversaw  the  agents  as 
they  copied  the  Department  of  State  server  logs  from  January  2009  to 
June  2009,  and  from  30  April  2010  to  15  June  2010." 

MJ:  All  right.  Thank  you.  Any  objection  to  Prosecution 

Exhibit  97  for  Identification? 

ADC [MAJ  HURLEY]:  No,  ma'am. 
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1  MJ:  May  I  see  it,  please?  Prosecution  Exhibit  97  for 

2  Identification  is  admitted. 

3  TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  to  read  on  to  the 

4  record  of  Stipulation  of  Expected  Testimony  for  Mr.  Gerald  Mundy 

5  dated  26  June  2013  and  has  been  marked  as  Prosecution  Exhibit  163 

6  Alpha  for  Identification. 

7  MJ:  Proceed. 

8  MJ:  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

9  Trial  Counsel,  that  if  Mr.  Gerald  Mundy  were  present  to  testify 

10  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 

11  would  testify  substantially  as  follows: 

12  I  am  currently  a  Branch  Manager  for  the  Bureau  of 

13  Intelligence  and  Research  (INR)  at  the  Department  of  State.  In  this 

14  position,  I  am  responsible  for  supervising  the  staff  and  contract 

15  personnel  within  INR.  I  am  the  Information  Security  Systems  Operator 

16  (ISSO)  for  INR.  I  have  worked  there  since  2012.  Before  working 

17  there,  I  was  with  the  Information  Resources  Management  (IRM)  at  the 

18  Department  of  State  from  2006  to  2012,  where  I  managed  the 

19  contractors,  the  firewall  program  and  engineering,  and  managed  both 

20  classified  and  unclassified  firewalls.  In  this  position,  I  ensured 

21  the  security  of  specific  Department  of  State  systems  used  to  secure 

22  CLASSNET,  the  internal  Department  of  State  classified  system,  as  well 

23  as  Net-Centric  Diplomacy  (NCD) .  Prior  to  that,  I  was  a  contractor 
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1  for  Department  of  State  from  2002  to  2006  and  did  similar  information 

2  technology  (IT)  security  work.  Finally,  from  1982  to  1996,  I  served 

3  in  the  United  States  Army.  During  this  time,  I  was  a  Military  Police 

4  Officer  (1982  to  1984)  and  also  worked  as  a  72  Golf,  in 

5  telecommunications  (1984  to  1996) . 

6  In  addition  to  my  work  experience,  I  have  several 

7  certifications  which  qualify  me  for  my  current  position.  I  am,  for 

8  instance,  a  Certified  Information  Systems  Security  Professional 

9  (CISSP) .  This  is  a  globally-recognized  standard  of  achievement  that 

10  confirms  an  individual' s  knowledge  in  the  field  of  information 

11  security.  Furthermore,  I  am  certified  as  an  Information  Systems 

12  Manager  (CISM)  which  trains  on  the  information  management  to  include 

13  capacity,  planning,  design,  and  development  of  systems,  and  Network 

14  Plus  Security  training,  which  is  vendor-neutral  security  training, 

15  similar  to  what  is  taught  in  CISSP  training.  I  have  vendor  training 

16  and  certifications  in  the  Stonegate  software  for  system 

17  administration  and  engineering  as  well.  Stonegate  is  the  software 

18  used  by  the  Department  of  State  firewall,  which  is  made  by  Stonesoft. 

19  A  firewall  is  a  boundary  which  protects  a  computer  system. 

20  A  firewall  in  this  instance  protects  our  NCD  database  as  well  as  our 

21  CLASSNET.  NDC  is  located  in  what  is  commonly  referred  to  as  the  DMZ 

22  between  the  Department  of  Defense's  SIPRNET  and  Department  of  State's 

23  CLASSNET.  The  DMZ  is  protected  with  special  access.  The  firewall  is 
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1  located  in  the  DMZ  between  SIPRNET  and  NCD.  There  is  another 

2  firewall  located  between  NCD  and  CLASSNET.  The  firewall  logs  track 

3  the  data  entering  a  server  which  exists  on  SIPRNET  and  CLASSNET.  The 

4  Department  of  State  firewall  software  automatically  registers  the  IP 

5  address  of  computers  accessing  our  system.  It  further  tracks  the 

6  source,  time  and  date  of  access,  destination,  action,  protocol,  and 

7  port  associated  with  that  IP.  A  log  is  created  any  time  a  Hypertext 

8  Transfer  Protocol  (HTTP)  talks  to  a  TCP  and  successfully  receives 

9  information.  An  HTTP  is  the  foundation  of  data  communication  for  the 

10  World  Wide  Web.  It  consists  of  packets  of  data,  which,  when 

11  connected  wirelessly  or  via  Ethernet  cable,  creates  a  network  for 

12  communication.  A  TCP  provides  reliable,  ordered,  error-checked 

13  delivery  of  a  stream  of  data  between  programs  running  on  computers 

14  connected  to  the  Internet.  Simply  put,  if  HTTP  is  a  highway,  TCP 

15  constitutes  the  lanes  on  the  highway. 

16  The  log  data  is  computer  generated  and  can  be  searched  by 

17  network  personnel  who  need  to  access  the  information  it  collects. 

18  Normally,  we  used  this  data  to  ensure  the  security  of  our  system.  I 

19  know  the  firewall  data  is  accurate  because  it  is  computer-generated 

20  and  it  always  logs.  There  is  no  possibility  of  error  because  if  the 

21  system  gets  full  it  starts  to  overwrite  the  oldest  information.  In 

22  addition,  our  network  personnel  conduct  troubleshooting  on  the  system 

23  by  interrogating  the  logs  on  a  daily  basis.  This  means  we  check  the 
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1  logs  and  ensure  the  system  is  pulling  data  as  intended  and  expected. 

2  The  audit  data  is  maintained  on  our  own  CLASSNET,  on  its  own 

3  protected  closed-system  interface.  The  firewall  logging  software  and 

4  the  data  it  produces  are,  therefore,  secure. 

5  I  became  involved  in  this  case  after  the  Department  of 

6  State  Deputy  Chief  Information  Officer  (DCIO)  Charlie  Wisecarver 

7  requested  that  I  isolate  the  data  from  the  firewall  logs  for  November 

8  2009  to  June  2010,  and  for  IP  addresses  22.225.41.22  and 

9  22.225.41.40.  To  execute  Mr.  Wisecarver' s  request  in  this  case,  I 

10  supervised  the  pulling  of  the  information.  The  command  used  to 

11  interface  with  our  firewall  logging  software  is  more  user-friendly 

12  than  Structured  Query  Language  (SQL) .  The  files  were  pulled  in  date 

13  and  time  groups  because  of  the  size  of  the  files  and  were  saved  in 

14  .pdf  format.  Saving  is  an  automatic  function  of  the  SQL-like  command 

15  when  entering  the  search  query  database  to  pull  the  information.  The 

16  information  was  not  altered  in  any  way  during  the  computer-generated 

17  pull.  The  information  that  is  pulled  and  the  format  in  which  it  is 

18  saved  will  vary  depending  on  the  type  of  infor  —  the  type  of  command 

19  written. 

20  I  will  explain  the  logs  by  using  the  following  example, 

21  which  is  an  entry  pulled  from  the  file  containing  the  date  range  1 

22  February  2010  to  1  March  2010  from  the  22.225.41.40  IP  address. 
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1  If  there  is  no  information  in  the  log,  it  means  that  there 

2  is  no  relevant  information  for  the  entry. 

3  The  creation  time  is  the  time  that  the  user  was  allowed 

4  through  the  firewall.  In  the  above  example  it  is  2010-02-14 

5  15:41:38. 

6  The  event  is  what  the  user  was  doing.  It  shows  the  action 

7  that  triggered  the  rule.  In  the  above  example,  new  connection  is  the 

8  event,  which  is  showing  that  the  source  IP  address  was  trying  to 

9  establish  a  new  connection  with  the  destination  IP  address. 

10  The  action  is  what  the  firewall  is  doing.  Typically,  the 

11  firewall  will  allow  or  deny  the  event.  In  the  above  example,  the 

12  action  is  allow  which  means  that  source  IP  address  was  able  to 

13  establish  a  new  connection  with  the  destination  IP  address.  The  user 

14  was  able  to  enter  NCD  and  access  what  the  user  requested. 

15  The  src  address  is  the  source  address.  This  is  IP  address 

16  of  the  system  that  is  sending  the  request.  In  the  above  example,  the 

17  source  address  is  22.225.41.40.  This  is  one  of  the  two  IP  addresses 

18  encompassed  by  our  data  pull. 

19  The  service  is  just  an  administrative  term  and  represents 

20  the  name  of  the  web  browsing  protocol.  In  the  above  example,  it  is 

21  Generic  80. 
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1  The  IP  Protocol  is  the  way  the  IP  address  is  —  excuse  me, 

2  the  IP  addresses  are  communicating.  In  the  above  example,  it  is  TCP 

3  (Transmission  Control  Protocol) .  TCP  is  further  described  above. 

4  In  summary,  the  above  entry  tells  me  that  the  computer  with 

5  the  IP  address  22.225.41.40  accessed  the  NCD  server  on  14  February 

6  2010. 

7  Once  all  the  firewall  logs  were  pulled  and  saved  into  the  - 

8  -  onto  the  share  drive,  they  were  burned  to  a  disk.  I  even  brought 

9  the  disk  to  the  ISSO  for  a  classification  —  excuse  me.  Your  Honor. 

10  I  then  brought  the  disk  to  the  ISSO  for  a  classification  review. 

11  After  the  classification  review,  I  gave  the  disk  to  Mr.  Wisecarver. 

12  At  no  point  in  collecting,  preserving,  or  transporting  the 

13  information  did  I  alter  the  content  or  device  used  to  store  it.  I 

14  have  no  reason  to  believe  this  evidence  was  altered  or  contaminated 

15  in  any  way. 

16  A  firewall  is  a  mechanism  designed  to  keep  unauthorized  IP 

17  addresses  from  connecting  to  a  network  or  computer  system  that  could 

18  contain  a  database.  The  Department  of  State  firewall  only  prevented 

19  a  source  IP  address  from  outside  the  Department  of  State  from 

20  connecting  to  the  CLASSNET.  The  firewall  only  regulates  connections 

21  by  IP  address.  Types  of  access  and  authorities  were  regulated  by  the 

22  NCD,  if  at  all,  once  a  connection  was  made  through  the  firewall 

23  protections.  There  is  no  evidence  to  suggest  that  PFC  Manning  used 
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1  any  tools  to  defeat  the  firewall  protections.  Like  all  users  on 

2  SIPRNET,  he  was  authorized  to  connect  using  SIPRNET  through  the 

3  firewall  to  NCD . 

4  The  log  data  is  on  a  standard  silver-colored  CD  marked  with 

5  "WikiLeaks  DoS  Firewall  Logs  13  Oct  10."  I  recognize  the  firewall 

6  log  data  based  on  the  date  and  time  stamp  of  the  logs,  as  well  as  the 

7  information  type  pulled  and  the  nomenclature  such  as  the  vender  marks 

8  and  the  initials  IPS,  FW  that  appear  at  the  top  of  the  logs,  which 

9  signify  the  Department  of  State  Bureau  and  firewall.  Through  my  work 

10  I  have  experience  reading  these  types  of  logs.  And,  in  this  case,  I 

11  pulled  a  sample  of  the  requested  information  to  ensure  it  was  what 

12  DCIO  Wisecarver  wanted.  Prosecution  Exhibit  68  for  Identification  is 

13  the  log  data  I  pulled. 

14  Your  Honor,  the  United  States  moves  to  admit  what  has  been 

15  marked  as  Prosecution  Exhibit  68  for  Identification  into  evidence  as 

16  Prosecution  Exhibit  68. 

17  ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

18  MJ:  Prosecution  Exhibit  68  for  Identification  is  —  did  I 

19  already  admit  that? 

20  TC [MAJ  FEIN]:  One  moment.  Your  Honor. 

21  MJ:  My  initials  are  on  it,  that's  why  I'm  asking.  And  my 

22  exhibit  list  has  it  admitted. 
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1  TC[MAJ  FEIN]:  Ma'am,  we  are  tracking  that  you  did  already  admit 

2  it  and  we'll  verify  with  what  witness  and  when.  Yes,  ma'am.  When 

3  the  United  States  read  on  to  the  record  Special  Agent  Wilbur, 

4  Prosecution  Exhibit  72  Stipulation,  the  United  States  moved  to  admit 

5  Department  of  State  firewall  logs.  Prosecution  Exhibit  68.  And  to 

6  repeat  what  I  said  because  I  was  not  near  a  microphone,  when  the 

7  United  States  moved  when  reading  —  after  reading  the  Stipulation  of 

8  Expected  Testimony  for  Special  Agent  Wilbur,  Prosecution  Exhibit  72, 

9  the  United  States  moved  to  admit  Department  of  State  firewall  logs, 

10  Prosecution  Exhibit  68,  and  they  were  admitted. 

11  Ma'am,  the  United  States  I  think  probably  now  is  a  good 

12  time  to  take  a  lunch  recess. 

13  MJ:  All  right.  How  long  would  you  like? 

14  TC[MAJ  FEIN]:  Hour  and  15  minutes,  ma'am,  reconvene  at  1315. 

15  MJ:  All  right.  Court  is  in  recess  until  1315. 

16  [The  court-martial  recessed  at  1204,  26  June  2013.] 

17  [The  court-martial  was  called  to  order  at  1329,  26  June  2013.] 


18 

MJ:  Court  is 

called  to  order. 

Let  the  record 

reflect 

all 

19 

parties  present  when  the  Court  last 

recessed  are 

again  present  in 

20 

court.  Major  Fein, 

.  are  you  ready  to 

proceed? 

21 

TC [MAJ  FEIN] : 

The  United  States  is  ready. 

Ma' 

' am,  the 

United 

22  States  offers  to  read  three  stipulations  with  respect  to  testimony 

23  onto  the  record.  The  first  stipulation.  Your  Honor,  is  the 
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1  Stipulation  of  Expected  Testimony  for  Special  Agent  Ronald  Rock  dated 

2  9  June,  2013,  Prosecution  Exhibit  79. 

3  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

4  Trial  Counsel,  that  if  SA  Ronald  Rock  were  present  to  testify  during 

5  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he  would 

6  testify  substantially  as  follows: 

7  I  currently  work  as  a  Special  Agent  with  the  U.S. 

8  Department  of  State,  Diplomatic  Security  Service  (DSS) .  Prior  to 

9  becoming  a  Special  Agent  with  the  DSS,  I  served  as  a  Sergeant  on  the 

10  DSS,  Uniformed  Division  from  1999-2001.  There,  I  provided  oversight 

11  for  over  50  uniformed  officers  at  nine  DoS  annexes  in  Washington, 

12  D.C.  and  Maryland.  I  graduated  from  the  DSS,  Basic  Special  Agent 

13  Class  in  July  2002  where  I  won  the  DSS  Director's  award  as  the  top 

14  graduate.  Since  then,  I  have  served  in  the  DSS  Washington  Field 

15  Office  (2002-2004);  the  Secretary  of  State's  Protective  Detail  (2004— 

16  2006);  U.S.  Embassy  Bogota  (Colombia)  (20062008);  the  National 

17  Defense  Intelligence  College  (2008-2009) ;  the  Special  Investigations 

18  Division  (2009-2012) .  During  my  3  years  in  the  Special 

19  Investigations  Division  (SID) ,  where  I  was  promoted  to  Acting  Branch 

20  Chief  in  charge  of  supervising  seven  other  special  agents,  my 

21  portfolio  included  the  responsibility  for  investigating  cases  of 

22  criminal  and  administrative  misconduct  by  DoS  employees,  their  family 

23  members  and  contractors,  as  well  as  employees  from  other  agencies 
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1  under  Chief  of  Mission  authority  at  U.S.  Consulates  and  Embassies 

2  worldwide.  I  led  the  investigative  effort  for  DSS  on  several  high 

3  profile  cases  involving  the  unauthorized  disclosure  of  DoS  classified 

4  information.  Additionally,  I  drafted  the  standard  operating 

5  procedure  by  which  SID  currently  investigates  leaks  of  DoS  classified 

6  information. 

7  I  currently  work  at  the  U.S.  Consulate  in  Mazar-e  Sharif, 

8  Regional  Command  North,  Afghanistan.  There,  my  team  and  I  are 

9  responsible  for  the  safety  and  security  of  all  American  diplomats  who 

10  travel  through  the  nine  provinces  comprising  Northern  Afghanistan. 

11  In  this  case,  I  was  involved  with  the  coordination  for 

12  evidence  collection,  as  well  as  the  actual  collection  of  evidence  at 

13  the  Department  of  State.  Specifically,  I  coordinated  with  Department 

14  of  State,  Deputy  Chief  Information  Officer  (DCIO)  Charlie  Wisecarver 

15  to  obtain  a  CD  containing  Department  of  State  SIPRNET  firewall  log 

16  traffic  for  IP  addresses  22.225.41.40  and  22  —  22.225.41.22.  On  14 

17  October  2010,  I  visited  DCIO  Wisecarver  in  Washington,  D.C.  and 

18  collected  a  disk  containing  the  firewall  logs  from  the  Department  of 

19  State  classified  system.  The  disk  was  a  silver  CD  bearing  the 

20  markings  "Wikileaks  DoS  Firewall  Logs  13  Oct  10."  It  bore  a  US 

21  Government  SECRET  sticker.  This  disk  was  important  to  our 

22  investigation  as  the  logs  showed  connections  between  the  Department 
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of  State  NCD  Database  and  the  IP  addresses  of  the  SIPRNET  machines 
assigned  to  PFC  Manning. 

On  15  October  2010,  I  signed  the  CD  marked  with  the  words 
"Wikileaks  DoS  Firewall  Logs  13  October  201  0"  over  to  SA  John 
Wilbur.  I  handled  this  evidence  consistent  with  procedures  as  I  have 
been  trained.  When  signing  over  the  evidence,  I  used  a  Department  of 
the  Army  Evidence  Property  Document  (DA  Form  4137)  with  the  label  DN 
151-10  and  this  CD  was  item  1  (Bates  numbers:  00411151  through 
00411152) .  While  in  possession  of  this  evidence,  I  maintained 
positive  control.  I  did  not  alter  the  information  on  the  CD.  I  have 
no  reason  to  believe  this  evidence  was  damaged  or  contaminated  in  any 
way.  I  did  not  touch  this  evidence  again. 

Prosecution  Exhibit  68  for  Identification  is  this  CD  (DN 
151-10,  Item  1) . 

Your  Honor,  Stipulation  of  Expected  Testimony  from  Mr.  Kirk 
Ellis  dated  9  June  2013,  Prosecution  Exhibit  77. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  Special  Agent  Kirk  Ellis  were  present  to 
testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

I  am  currently  a  Special  Agent  Criminal  Investigator  and 
Certified  Digital  Forensic  Examiner  for  the  United  States  Army 
Criminal  Investigation  Command  (CID) .  I  am  assigned  to  the  Rock 
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1  Island  Front  Resident  Agency  within  the  Major  Procurement  Fraud  Unit 

2  and  currently  deployed  to  Afghanistan.  In  this  position  I 

3  investigate  fraud  cases  as  a  case  agent.  When  in  the  United  States  I 

4  also  provide  forensic  examination  services  to  our  local  field 

5  offices.  I  have  held  this  position  for  about  a  year.  Previously  I 

6  worked  at  CIDs  Computer  Crim  —  Crimes  Investigative  Unit  (CCIU)  as  a 

7  Computer  Crimes  Program  Manager  at  Fort  Belvoir,  Virginia  and  Marine 

8  Corps  Base  Quantico,  Virginia.  I  have  also  worked  as  a  case  agent 

9  with  CCIU.  I  have  had  —  I  have  been  a  civilian  special  agent  since 

10  2008,  before  that  I  was  Active  Duty  CID  Agent  for  3  years  at  Fort 

11  Bragg,  North  Carolina. 

12  I  have  substantial  training  that  qualifies  me  for  my 

13  position.  I  have  attended  several  courses  run  by  the  Defense  Cyber 

14  Investigations  Training  Academy  (DCITA)  in  Lithicum,  Maryland.  I 

15  have  used  the  EnCase  Forensic  Tool  on  multiple  occasions  in  my  line 

16  of  work.  I  am  also  a  Department  of  Defense  Certified  Computer  Crimes 

17  Investigator.  I  have  a  Bachelor's  Degree  in  Multi-Disciplinary 

18  Studies  with  a  focus  on  business  and  criminal  justice  from  Liberty 

19  University  in  Lynchburg,  Virginia.  I  have  worked  more  than  a  dozen 

20  fraud  cases  and  approximately  a  dozen  cases  for  CCIU  and  about  50  to 

21  60  cases  as  an  Active  Duty  CID  Special  Agent. 

22  I  first  became  involved  in  this  case  when  I  was  a  case 

23  agent  with  CCIU.  Throughout  the  course  of  this  investigation  I 
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1  worked  with  several  other  special  agents  on  the  investigative  team 

2  including  Special  Agent  Bowen,  Special  Agent  Wilbur,  Special  Agent 

3  Edwards,  Special  Agent  Aymes,  and  Special  Agent  Mandor.  Primarily  my 

4  role  in  the  investigative  team  was  to  assist  with  witness  questioning 

5  and  with  electronic  data  collection.  Specifically,  Special  Agent 

6  Bowen  and  I  collected  the  Department  of  State  server  logs  on  15  June 

7  2010.  After  coordinating  with  Mr.  Albert  John  Janek  at  the 

8  Department  of  State  for  authorization  we  collected  logs  from  a  server 

9  room  in  the  Harry  S.  Truman  Building  of  the  Department  of  State  in 

10  Washington  D.C.  We  were  interested  in  collecting  the  Department  of 

11  State  server  logs  so  we  could  see  users  that  had  accessed  the  servers 

12  and  while  —  and  what  files  were  specifically  accessed.  In  this 

13  instance  we  collected  or  copied  the  logs  from  January  2009  to  June 

14  2009  and  from  30  April  2010  to  15  June  2010.  We  were  not  able  to 

15  collect  Department  of  State  server  logs  files  between  July  2009  and 

16  30  April  2010,  based  on  an  electronic  recording  gap. 

17  The  files  that  were  copied  were  placed  in  zip  files  and 

18  named,  "logs.zip"  and  "newlogs.zip".  I  collected  these  log  files  in 

19  accordance  with  the  training  I  have  received.  The  Department  of 

20  State  gave  me  a  host  computer  that  could  access  the  logs  between 

21  their  firewall  and  collected  the  files  on  a  clean  USB  removable  drive 

22  (thumb  drive) .  It  was  my  practice  to  wipe  and  format  a  thumb  drive 

23  prior  to  collection.  Wiping  is  more  than  just  deleting.  It  means 
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1  forensically  removing  all  information  from  a  drive.  It  ensures  a 

2  device  is  completely  empty  of  all  types  of  data.  Mr.  Janek  first 

3  possessed  the  thumb  drive  and  then  signed  it  over  to  me  when  I 

4  finished  collecting  the  files  from  the  host  computer.  After  Mr. 

5  Janek  signed  the  thumb  drive  over  to  me  I  brought  the  thumb  drive 

6  back  to  CID.  I  created  an  image  of  the  information  using  EnCase.  I 

7  imaged  these  items  of  evidence  so  that  the  data  on  the  device  can  be 

8  forensically  examined  without  exposing  the  actual  collected  contents 

9  to  examination. 

10  The  image  I  created  was  verified  by  hash  value  match.  I 

11  encountered  no  errors  while  conducting  the  imaging  of  the  evidence  at 

12  issue  in  this  case.  Once  I  verified  that  the  hash  values  matched  I 

13  saved  the  EnCase  image  on  a  DVD  so  they  could  be  examined  and  logged 

14  in  as  evidence.  I  know  it  was  clean  and  appropriate  for  evidence 

15  collection  for  two  reasons:  First,  it  was  the  same  type  of  DVD  our 

16  office  uses  to  collect  evidence  in  our  standard  digital  evidence 

17  collection  practices.  Second,  it  was  new  and  factory  made.  I  know 

18  the  data  I  put  onto  it  had  been  unaltered  because  the  hash  values  of 

19  the  logs  collected  onto  the  clean  thumb  drive  matched  the  hash  value 

20  of  the  logs  that  I  saved  —  after  I  saved  them  to  the  DVD.  The  DVD 

21  was  marked,  "0028-10-CID-221-10117  DEPT  of  State  Server  Logs, 

22  199.56.188.73".  I  used  a  DA  Form  4137,  Evidence  Property  Custody 

23  Document  (EPCD) ,  Document  Number  DN78-10  to  describe  the  evidence  and 
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1  sign  it  over  to  the  evidence  custodian,  Mr.  Garon  Young.  I  do  not 

2  have  any  reason  to  believe  that  the  evidence  suffered  damage  or 

3  contamination.  I  did  not  touch  this  evidence  again.  Prosecution 

4  Exhibit  97  for  Identification  is  DN78-10,  the  DVD  containing  the 

5  Department  of  State  Server  Logs. 

6  Your  Honor,  a  Stipulation  of  Expected  Testimony  from  Mr. 

7  James  Downey,  dated  17  June  2013,  Prosecution  Exhibit  149. 

8  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 

9  Trial  Counsel,  that  if  Mr.  James  Downey  were  present  to  testify 

10  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 

11  would  testify  substantially  as  follows. 

12  I  work  at  Defense  Information  Systems  Agency  (DISA) ,  Fort 

13  Meade,  Maryland.  Specifically,  I  am  a  part  of  the  Program  Executive 

14  Office  for  Mission  Assurance  (PEO-MA)  and  Network  Operations.  I  am 

15  the  program  manager  for  attack  analysis.  I  have  held  this  position 

16  since  2007.  I  hold  the  Global  Information  Assurance  Certification 

17  (GIAC)  security  leadership  certification  (GSLC) ,  and  I  am  a  certified 

18  ethical  hacker. 

19  The  PEO-MA  department,  where  I  currently  work,  provides 

20  program  management  for  various  programs  that  help  secure  the  IT 

21  information  within  the  Department  of  Defense  (DoD) .  Within  PEO-MA,  I 

22  work  for  the  Community  Data  Center  (CDC) .  The  CDC  hosts  a  set  of 

23  tools  used  by  people  who  secure  DoD  networks.  We  host  enterprise 
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1  level  Information  Assurance  (IA)  tools  and  net  defense  tools,  which 

2  enable  analysts  to  basically  ensure  the  availability  and  integrity  of 

3  the  networks  that  DISA  provides  for  DoD.  "Enterprise  tools"  are 

4  those  which  are  capable  of  handling  the  amount  of  data  we  deal  with 

5  and  the  large  and  complicated  networks  with  which  we  work.  Since 

6  DISA  is  like  an  internet  server  provider  for  DoD,  we  operate  on  a 

7  scale  which  is  much  larger  than  what  the  commercially  available  tools 

8  are  designed  to  handle.  A  "tool"  is  just  what  it  sounds  like, 

9  something  that  allows  us  to  do  our  network  management  job.  Usually, 

10  it  is  information  or  a  way  of  processing  or  gathering  information. 

11  The  tool  relevant  to  this  case  is  the  data  we  use  called 

12  Net flow  data.  This  is  a  type  of  data  which  was  developed  by  Cisco, 

13  but  which  is  now  industry  standard.  With  it,  we  can  capture  the 

14  Internet  Protocol  (IP)  addresses  of  two  computers  communicating  — 

15  excuse  me.  Your  Honor,  communicating  across  the  system,  as  well  as 

16  the  volume  of  traffic  which  flows  between  them.  We  use  YAF  to 

17  collect  this  data.  YAF  stands  for  "yet  another  flow  meter".  This 

18  tool  was  developed  by  Carnegie  Mellon  and  is  the  industry  standard. 

19  Just  like  any  meter,  it  measures  and  then  creates  a  data  record  of 

20  the  flow  past  a  data  collection  point.  A  point  of  collection  is  any 

21  of  the  various  monitoring  points  we  have  stationed  at  key  perimeter 

22  locations  throughout  the  network;  for  example,  where  a  DoD  network 

23  crosses  or  connects  to  the  commercial  world.  These  points  monitor 
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1  all  traffic,  or  computer  to  computer  communication,  crossing  from  one 

2  side  of  the  router  to  another.  Our  system  would  "see"  when  someone 

3  is  on  a  work  computer  browsing  internet  websites  like  yahoo  while  on 

4  NIPRNET  or  the  United  States  Central  Command  Server  from  a  computer 

5  in  Iraq  while  on  SIPRNET.  The  system  detects  the  capacity  being  used 

6  during  that  communication  and  at  that  location.  The  information  can 

7  communicate  whether  something  is  being  downloaded  onto  the  computer  - 

8  -  excuse  me,  Your  Honor,  on  that  computer.  We  collect  Netflow  data 

9  on  NIPRNET  and  SIPRNET.  There  are  relatively  few  routers  collecting 

10  Netflow  data  throughout  the  entire  SIPRNET.  Because  this  system  only 

11  collects  information  passing  from  one  side  of  the  router  to  another, 

12  it  does  not  collect  Netflow  data  passing  within  a  network  that  does 

13  not  cross  through  a  collecting  router.  For  example,  if  a  computer  is 

14  communicating  with  a  server  or  another  computer  within  the  Iraq 

15  SIPRNET  domain,  that  activity  would  not  be  captured  in  Netflow  data, 

16  because  the  connection  and  data  do  not  cross  through  the  Iraq  SIPRNET 

17  domain  router,  but  rather  stays  within  the  Iraq  SIPRNET  domain 

18  network. 

19  We  collect  this  Netflow  data  for  several  reasons.  First, 

20  we  use  the  data  to  conduct  traffic  analysis.  It  allows  our  analysts 

21  to  see  where  they  need  to  deploy  additional  capacity  in  the  DoD 

22  network.  For  example,  if  one  segment  of  the  system  is  getting  more 

23  traffic  than  another,  it  may  need  a  larger  router.  This  type  of  work 
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falls  within  the  purview  of  those  CDC  analysts  working  on  network 
operations  and  maintenance.  These  analysts  focus  on  maintaining  the 
availability,  robustness,  and  proper  functioning  of  the  Netflow  data. 
They  ensure  that  the  system  is  collecting  data  correctly,  that  it  is 
securely  transported  and  stored,  and  that  the  system  used  to  access 
the  information  is  on-line  and  functioning  properly.  Another  section 
however  uses  the  Netflow  data  to  defend  the  DoD  network  from  threats. 
For  example,  if  a  regular  DoD  user  has  a  virus  on  his/her  computer 
that  tries  to  connect  to  a  malicious  computer  outside  the  network, 
our  tools  enable  our  analysts  to  detect  that  and  take  the  offending 
computer  offline.  This  section  can  investigate  suspicious  activity. 

I  work  in  the  section  that  manages  the  delivery  of  CDC  capabilities. 
Finally,  we  also  have  a  group  using  the  Netflow  data  to  research  — 
to  do  research  and  development.  The  Research  and  Development  group 
analyzes  the  data  to  try  and  find  patterns  which  might  help  them 
identify  behavior  going  on  that  we  do  not  currently  have  a  means  of 
detecting.  For  example,  with  older  viruses  it's  easy  to  know  when 
something  has  been  infected,  but  newer  ones  can  be  more  cautious  in 
how  they  operate.  By  looking  at  patterns  over  time,  our  analysts 
might  be  able  to  see  something  that  helps  them  find  compromised 
computers  in  the  network  before  the  virus  infects  others. 

Centaur  is  what  we  call  the  system  we  use  to  track  the 
Netflow  data  I  just  described.  It  is  one  of  the  systems  with  which  I 
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1  work  in  the  PEO-MA.  A  Centaur  log  is  the  data  output  from  our 

2  Netflow  data  system.  I  became  involved  in  this  case  after  DISA 

3  launched  an  audit  initiative  focused  on  integrating  and  analyzing 

4  multiple  data  sources  to  identify  and  track  potential  insider  threats 

5  on  SIPRNET .  Because  of  my  job,  I  am  familiar  with  the  Netflow  data 

6  Centaur  generates  for  SIPRNET.  I  received  a  request  to  pull  the 

7  Centaur  logs  showing  communications  between  three  SIPRNET  IPs  and  for 

8  a  specific  period  of  time.  The  date  range  of  interest  was  October 

9  2009  to  May  2010.  Investigators  were  interested  in  the  following  IP 

10  addresses:  22.225.29.185,  22.225.41.22,  and  22.225.41.40. 

11  To  look  at  the  Centaur  data  from  SIPRNET,  analysts  use  a 

12  tool  developed  by  Carnegie  Melon,  called  SILK-System  for  Internet 

13  Level  Knowledge.  Once  gathered,  the  Centaur  log  can  show  certain 

14  pieces  of  information.  I  will  explain  how  to  read  the  Centaur  logs 

15  by  way  of  example  with  the  following  log. 

16  Your  Honor,  rather  than  reading  the  table  that  is  provided 

17  the  remaining  portion  actually  describes  the  information  in  the 

18  table.  So,  I  will  skip  that  portion. 

19  The  "sIP"  is  the  source  IP.  It  is  the  Internet  Protocol 

20  (IP)  address  of  the  computer  that  initiated  the  conversation  that  log 

21  line  is  tracking.  A  "conversation"  is  a  set  of  transactions  that  has 

22  in  common  the  same  source  and  destination  IPs  and  ports  of  which 

23  occurs  within  the  same  time  frame.  In  the  above  example. 
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22.225.41.40  (the  destination  IP  addressed)  received  information  from 
the  sending  IP  address,  which  is  204.37.126.39. 

Prosecution  Exhibit  164  for  Identification  is  a  list  of 
many  of  the  organizations  who  are  associated  with  or  own  the  IP 
addresses  searched  by  the  22.225.29.185,  22.225.41.22,  and 
22.225.41.40  IP  addresses. 

MJ:  Can  I  interrupt  you  for  just  a  second? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  The  copy  that  the  Court  has  is  Prosecution  Exhibit  152. 

Was  there  a  change  made? 

TC [MAJ  FEIN]:  Yes,  ma'am.  That  is  what  was  reflected  prior  to 
the  lunch  recess  that  this  is  Page  3  and  that  Prosecution  Exhibit  152 
was  changed  with  the  concurrence  of  the  defense  to  Prosecution 
Exhibit  164.  So,  the  Court's  copy  is  —  The  Court  needs  a  newer  copy 
of  the  actual  Stip. 

MJ:  So,  I'm  supposed  to  be  looking  at  164? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Okay.  And  I'm  looking  at  Prosecution  Exhibit  149,  which 

was  the  old  one? 

TC [MAJ  FEIN]:  No,  ma'am.  Prosecution  Exhibit  149  is  the 
Stipulation  of  Expected  Testimony  that's  been  admitted.  That 
Stipulation,  Prosecution  Exhibit  149  was  amended  prior  to  going  on 
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1  the  lunch  recess.  That  —  Right  there  in  that  paragraph,  on  top  of 

2  Page  3  the  152  was  lined  out  and  changed  to  164. 

3  MJ:  All  right.  And  I  see  a  set  of  initials  next  to  that. 

4  Major  Hurley,  is  that  your  initials  and  PFC  Manning's? 

5  ADC [MAJ  HURLEY]  Yes,  ma'am. 

6  MJ:  So,  you  all  agree  with  the  changes? 

7  ADC [MAJ  HURLEY]  Yes,  ma'am. 

8  ACC:  Yes,  ma'am. 

9  MJ:  Okay. 

10  TC [MAJ  FEIN]:  So,  ma'am,  the  152  in  that  top  paragraph  should 

11  be  slashed  through  and  it  should  be  changed  to  164. 

12  MJ:  Got  it. 

13  TC [MAJ  FEIN]:  B:  The  "dIP"  or  destination  IP  is  the  IP  address 

14  for  the  computer  that  received  the  data  from  the  SIP.  The  dIP  in  the 

15  above  example  is  22.225.41.40.  The  "s  port"  is  the  port  that  the  sIP 

16  was  using  to  communicate.  A  port  itself  is  a  way  the  computer  can 

17  carry  on  multiple  conversations  on  a  network  at  the  same  time.  You 

18  can  think  of  it  like  a  mail  slot  or  a  particular  channel  that  a 

19  computer  uses  to  hold  a  conversation.  The  s  port  in  the  above 

20  example  is  80.  S  Port  code  80  indicates  all  internet  web  traffic, 

21  including  browsing  on  the  web.  The  "d  port"  is  the  destination  port. 

22  This  is  the  port  the  dIP  was  using  to  communicate.  Essentially  it  is 

23  the  computer  which  received  the  conversation.  The  d  Port  in  the 
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1  above  example  is  2641.  The  log  item  "pro"  stands  for  protocol.  The 

2  protocol  is  the  convention,  or  language,  which  the  two  computers  were 

3  using  to  talk  to  one  another.  The  number  "6"  is  the  Transmission 

4  Control  Protocol  (TCP) .  TCP  is  a  language.  TCP  is  the  dominant 

5  protocol.  Knowing  the  protocol  is  important  because  it  tells  you  the 

6  kind  of  conversation  the  two  logged  IP  addresses  were  having.  For 

7  example,  another  protocol  is  the  number  "1"  for  ICMP.  Protocols  like 

8  TCP  are  generally  used  by  users  to  generate  and  receive  data. 

9  Protocols  like  ICMP  are  used  by  computer  systems  to  report  back  on 

10  status  or  to  support  other  protocols.  "Packets"  are  the  chunks  of 

11  the  computer  —  excuse  me.  Your  Honor.  "Packets"  are  the  chunks  a 

12  computer  breaks  information  up  into  in  order  to  transmit  it  across 

13  the  network.  The  ratio  of  packets  to  bytes  for  example  can  tell 

14  analysts  about  the  nature  of  the  conversation  occurring;  essentially, 

15  packets  communicate  complexity.  A  byte  is  simply  a  unit  of  measuring 

16  the  size  of  data  or  seeing  volume.  A  large  number  of  bytes  relative 

17  to  the  packets  means  a  large  file  is  getting  downloaded.  A  small 

18  byte  count  means  a  lower  level  form  of  communication.  The  packets  in 

19  the  above  example  is  1379.  A  byte  itself  is  simply  a  unit  of 

20  measuring  the  size  of  data  or  seeing  volume.  Beyond  its  relationship 

21  to  a  packet,  in  raw  form,  the  byte  tells  exactly  how  much  information 

22  was  exchanged  in  a  given  conversation.  "Bytes"  provide  a  straight 

23  forward  measurement  of  how  much  data  was  transmitted,  where  the 
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1  packets  can  tell  you  how  that  data  was  transmitted.  T  he  bytes  in  the 

2  above  example  is  1305267.  "s  Time"  is  the  time  the  communication 

3  between  IPs  started.  In  the  above  example  the  particular 

4  communication  between  204.37.126.39  and  22.225.41.40  stated  at 

5  2009/12/1 9T01:41:43. 633. 

6  The  column  labeled  "dur"  is  its  duration.  The  duration  is 

7  given  in  seconds.  Knowing  this  information  is  important  because 

8  different  durations  are  characteristic  of  different  kinds  of 

9  conversations.  This  information  helps  analysts  like  me  guide  our 

10  inferences  about  the  data  by  providing  context  for  the  communication 

11  we  are  seeking  to  understand.  The  above  communication  took  112.650 

12  seconds  to  complete.  "eTime"  is  the  time  a  communication  ends.  The 

13  above  communication  between  204.37.126.39  and  22.225.41.40  ended  at 

14  2009/12/19T01 : 43 : 36 . 283,  which  should  be  112.650  seconds  after  the 

15  sTime.  "Sensor"  means  the  collection  point  used  to  collect  the  data 

16  being  communicated  in  the  log  line.  It  identifies  the  router  or  the 

17  sensor  generating  the  record  and  basically  tells  us  where  on  the 

18  network  the  traffic  the  log  line  describes  occurred.  The  sensor  in 

19  the  above  example  is  SPE-SMEC. 

20  Together,  this  information  allows  analysts  to  see  the  IP 

21  address  of  an  individual  computer  using  the  system  and  the  complexity 

22  and  volume  of  information  being  communicated  as  well  as  the  length  of 

23  time  the  computer  is  conducting  its  activity.  The  above  log  tells  me 


9136 


© 


o 


1  that  the  IP  address  22.225.41.40  received  1305267  bytes  of  data  from 

2  IP  address  204.37.126.39  on  19  December  2009. 

3  As  I  indicated  earlier,  the  Centaur  log  data  is  very  useful 

4  in  detecting  suspicious  activity.  While  it  will  not  automatically 

5  alert  analysts  in  the  security  section  of  suspicious  activity,  part 

6  of  their  job  is  to  schedule  scripts  which  look  for  activity.  DISA 

7  also  deploys  detection  tools  at  multiple  locations  through  the 

8  network  with  unique  signatures.  These  look  for  a  particular  type  of 

9  suspicious  user  activity.  For  example,  going  to  a  known  blocked 

10  websites  or  known  malware  servers  is  something  we  can  detect.  When  a 

11  user  takes  the  action  that  fits  the  signature  activity,  this  action 

12  triggers  an  alert  to  an  analyst  in  something  close  to  real  time. 

13  Security  analysts  also  work  off  of  tips.  These  tips  can  come  from 

14  digital  alerts  like  the  ones  I  just  described  or  from  sources  such  as 

15  Information  Assurance  groups  within  DoD  organizations  which  are 

16  responsible  for  their  own  local  security.  Alternatively,  law 

17  enforcement  can  request  information  from  our  system  as  occurred  in 

18  this  case. 

19  The  format  in  which  the  system  returns  results  to  our 

20  queries  varies  depending  on  the  query.  All  of  these  tools  run  from  a 

21  command  line  using  text  command.  The  answer  to  the  query  comes  back 

22  in  a  native  binary  file.  But  then  another  tool  translates  that 

23  automatically  into  a  regular  text  file  so  that  it  is  readable  by  a 
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1  human.  The  analyst  then  defines  which  information  they  want  to  see 

2  and  in  what  order.  By  "information,"  I  am  referring  to  the  terms  I 

3  defined  earlier,  such  as  "sIP"  and  "dur."  An  analyst  then  makes  the 

4  report  using  this  data.  The  report  includes  the  data  and  may  also 

5  include  the  analyst's  interpretation  of  what  that  data  means,  why 

6  it's  important,  and  what  the  context  is. 

7  The  latter  occurred  in  this  case.  When  asked  for  a  certain 

8  date  range  of  data  tied  to  the  relevant  IP  addresses  in  this  case,  we 

9  pulled  the  data.  We  found  communications  for  the  IP  addresses  I 

10  discussed  earlier  between  November  of  2009  and  May  of  2010.  I  am  not 

11  aware  of  any  irregularities  occurring,  and  we  did  some  tests  to 

12  ensure  the  data  was  accurate. 

13  Drastic  changes  in  the  history  of  a  log  tell  me  one  of  two 

14  things.  When  a  log  is  not  consistent  with  previous  behavior  over  a 

15  large  period  of  time,  it  would  indicate  to  me  that  either  a  sensor 

16  was  down  or  the  relevant  computer  was  turned  completely  off.  There 

17  should  always  be  some  baseline  level  of  activity  for  a  computer 

18  connected  to  a  network. 

19  After  collecting  the  data,  I  saved  files  of  the  log  data 

20  which  were  then  burned  to  a  CD  for  the  investigators.  The  CD  was 

21  marked  "6/15/2012,  UNCLASSIFIED,  hub_out_dip . csv;  hub_out_sip . csv; 

22  spe  out  dip. csv;  spe_out_sip . csv. "  These  .csv  file  names  represent 

23  the  different  log  data  that  was  pulled.  They  show  activity  of  the 
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1  22.225.29.185,  22.225.41.40,  and  22.225.41.22  IP  addresses  as  the 

2  source  and  destination  IPs.  The  information  was  sent  via  tracked 

3  FedEx  package  to  Special  Agent  David  Shaver.  The  tracking  number  was 

4  875027891920.  Prosecution  Exhibit  152  for  Identification  is  the  CD 

5  containing  the  log  data  I  collected.  I  recognize  the  data  on  the  CD 

6  because  I  collected  it,  and  I  recognize  the  logs  based  on  the  column 

7  identifiers  and  familiarity  with  Centaur  logs,  which  I  described 

8  earlier.  A  records  custodian  attested  to  their  authenticity  on  15 

9  June  2012  at  Bates  number:  00449443. 

10  At  no  point  during  my  collection  or  transport  of  these  logs 

11  did  I  alter  them  in  any  way.  I  have  no  reason  to  believe  any  of  my 

12  colleagues  altered  the  data  or  experienced  anything  out  of  the 

13  ordinary  in  collecting  it.  And,  I  have  no  reason  to  believe  the  data 

14  provided  or  the  device  on  which  it  was  stored  was  damaged  or 

15  contaminated  in  any  way.  Finally,  I  am  not  aware  of  any  issue  in  the 

16  collection,  storage,  or  transport  of  this  information  which  would 

17  cause  it  to  have  been  incorrectly  preserved. 

18  Your  Honor,  the  United  States  moves  to  admit  what  has  been 

19  marked  as  Prosecution  Exhibit  152  and  164  for  Identification  as 

20  Prosecution  Exhibit  152  and  164. 

21  ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

22  MJ:  May  I  see  them,  please?  All  right.  Prosecution  Exhibit 

23  152  for  Identification  and  164  for  Identification  are  admitted. 
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1  ATC [CPT  MORROW]:  The  United  States  calls  Special  Agent  David 

2  Shaver. 

3  SPECIAL  AGENT  DAVID  SHAVER,  U.S.  Army,  was  recalled  as  a  witness  for 

4  the  prosecution,  was  reminded  he  was  still  under  oath,  and  testified 

5  as  follows: 

6  DIRECT  EXAMINATION 

7  Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

8  Q.  Special  Agent  Shaver,  you  testified  earlier  that  you 

9  examined  Centaur  logs  as  a  part  of  this  case.  Is  that  correct? 

10  A.  Yes,  sir. 

11  Q.  And  in  your  own  words,  what  is  Centaur? 

12  A.  Centaur  is  —  they  are  logs  filed  that  are  captured  on 

13  netflow  information. 

14  Q.  What  is  netflow? 

15  A.  Sir,  that's  the  traffic  between  two  computers.  It  will 

16  capture  things  like  source  computer,  destination  computer,  dates, 

17  times,  amount  of  data  transferred. 

18  Q.  And  how  does  Centaur  actually  capture  information? 

19  A.  There  are  sensors  throughout  the  network,  the  DoD  network, 

20  that  if  communication,  you  know,  goes  in  front  of  it,  it  will  capture 

21  it. 

22  Q.  And  you  examined  Centaur  logs  as  part  of  other 

23  investigations  at  CCIU? 
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1  A.  Yes  sir,  I  have. 

2  Q.  Why? 

3  A.  In  my  previous  role  at  CCIU  we  would  do  other  log 

4  examinations  concerning  malware.  The  Centaur  logs  are  really  good 

5  for  seeing  how  one  computer  will  communicate  with  another  for  how 

6  malware  would  propagate  on  a  network. 

7  Q.  What  do  you,  mean  by  malware? 

8  A.  Malicious  software. 

9  Q.  And  what  information  was  examined  in  this  case  by  CCIU  and 

10  specifically  you? 

11  A.  For  Centaur? 

12  Q.  Yes,  for  Centaur. 

13  A.  We  looked  at  the  log  files  pertaining  to  the  .22  and  .40 

14  computers  from  November  2009  until  May  2010. 

15  Q.  And  the  use  of  the  log  files  for  those  two  IP  addresses, 

16  what  did  they  actually  capture? 

17  A.  They  were  capturing  things  —  again,  dates  and  times,  the 

18  protocols  used  to  communicate. 

19  Q.  What  was  on  the  other  side?  Maybe  that's  a  better 

20  guestion.  What  does  Centaur  capture? 

21  A.  It  captures  an  IP  address.  It  captures  IP  addresses, 

22  things  like  that.  IP  addresses,  dates  and  times. 
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Q.  When  you  say  that  --  but  it  captures  a  connection.  Is  that 
correct? 

A.  Yes,  sir. 

Q.  And  what  does  it  capture  the  connection  of? 

A.  Transfer  of  data.  There's  data  transferred. 

Q.  Between  what? 

A.  Two  computers,  computer  and  a  server. 

Q.  So  if  a  computer  is  on  the  other  side,  that  computer  can  be 
a  server  as  well? 

A.  Yes,  sir. 

Q.  Now,  when  you're  trying  to  determine  what  computer  is  on 

the  other  side  so  you  have  the  source  IP  which  is  .22  or  .40  and 

you're  trying  to  determine  what  is  on  the  other  side,  so  whatever 
computer  the  .22  or  .40  communicate  with,  how  do  you  figure  that  out? 

A.  There's  a  few  ways.  I  basically  —  because  it's  an  IP,  I 
can  resolve  the  IP  to  a  more  friendly  name. 

Q.  What  do  you  mean  by  a  friendly  name? 

A.  For  example,  CNN.  You  can  remember  CNN.  That's  easy  to 
remember.  But  it's  actually  an  IP  address  of  a  computer  and  an  IP 
address  may  be  something  like  123.123.1.2  You  won't  remember  that. 

So  it's  called  domain  name  service,  DNS.  It  just  resolves  a  friendly 
name  to  an  IP  and  you  can  reverse  that  as  well,  figure  out  who  the  IP 
belongs  to. 
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Q.  And  the  domain  name  service,  where  is  that  tool  located? 

A.  Sir,  that's  part  of  the  —  it's  on  the  SIPRNET .  It's  just 

part  of  the  internal  classified  network. 

Q.  What  was  your  investigative  plan  for  the  Centaur  logs  you 
looked  at? 

A.  Looked  for  patterns.  Because  it  shows  data  transferred.  I 
was  kind  of  curious  to  see  which  computers  were  .22  and  .40,  what 
were  they  communicating  to  the  most. 

Q.  And  from  the  log  files  came  to  you  for  analysis,  in  what 
form  were  they  in? 

A.  They  were  in  text  files,  log  files. 

Q.  What  did  you  do  with  the  text  files? 

A.  I  put  them  in  Excel  for  easier  review. 

Q.  And  when  you  put  them  in  Excel,  did  you  alter  the 
information  in  any  way? 

A.  No,  sir. 

Q.  Now,  once  you  had  the  information  in  the  Excel  spreadsheet, 
what  did  you  do? 

A.  I  then  started  filtering.  The  first  one  I  filtered  was, 
like,  amount  of  data  transferred  and  I  just  wanted  to  figure  out, 
again,  whose  computers  were  communicated  to  the  most. 

Q.  I'm  showing  you  what's  been  marked  as  Prosecution  Exhibit 
160  for  Identification.  I'm  showing  defense  counsel.  Agent  Shaver, 
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I'm  handing  you  what's  been  marked  as  Prosecution  Exhibit  160  for 
Identification.  Do  you  recognize  that  document? 

A.  Yes,  sir.  I  do. 

Q.  What  is  it? 

A.  This  is  a  document  I  created.  It's  a  summary  of  a  small 
segment,  actually,  of  the  log  file  for  Centaur  that  —  where  I  have 
the  names,  other  remote  servers  and  the  number  of  connections  and 
data  transferred. 

ATC[CPT  MORROW]:  Permission  to  publish.  Your  Honor. 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court  and  the  witness . ] 

Q.  We'll  go  through  this  up  here  and  follow  along.  So  I  see 
ten  numbers  on  the  left.  What  are  those  numbers? 

A.  Sir,  based  off  the  amount  of  data  transfer,  the  column  on 
the  right,  that's  where  I  sorted  on  the  amount  of  data  transferred. 
So  these  ten  are  the  top  ten  remote  computers,  the  22  and  40,  the 
Centaur  captured  them  communicating  with. 

Q.  So,  really,  it's  ordered  by  what's  on  the  very  far  right? 
A.  Correct. 

Q.  Okay.  And  I  see  a  number  of  connections.  What  does  that 

mean? 
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1  A.  That  is  just  that.  It's  a  connection.  The  Centaur  logs 

2  captured  a  connection  between  the  two  computers,  the  22  or  40,  and 

3  these  computers. 

4  Q.  Now,  with  respect  to  Line  4,  I  see  the  remote  IP  is  CIDNE 

5  Afghanistan.  Do  you  recall  the  date  range  of  those  connections  of 

6  that  data  being  transfer? 

7  A.  Yes,  sir.  That  was  January  2010,  early  January.  I  think 

8  it  was  January  2  to  January  7th. 

9  Q.  And  what  about  the  Department  of  State,  Number  1? 

10  A.  Yes,  sir.  There  are  a  lot  of  connections.  This  one 

11  captured  106  —  over  106,000,  connections  and  transferred  9.9  gigs  of 

12  data. 

13  ATC [CPT  MORROW]:  Now,  based  on  your  review  —  Your  Honor,  the 

14  government  moves  to  admit  Prosecution  Exhibit  160  for  Identification 

15  into  evidence. 

16  ADC [MAJ  HURLEY]  No  objection,  ma'am. 

17  MJ:  Prosecution  Exhibit  160  for  Identification  is  admitted. 

18  Q.  Based  on  your  review  of  the  entirety  of  the  Centaur  logs, 

19  were  the  —  did  you  notice  any  activity  that  was  missing  in  the  logs? 

20  A.  Yes,  sir.  There  were  several  dates  that  there  was  no 

21  activity  at  all. 

22  Q.  And  can  you  explain  what  no  activity  means  to  you? 
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A.  Again,  these  computers  are  still  —  they're  on  a  Windows 
domain  and,  as  such,  they  need  to  regularly  check  in.  They  need  to 
check  in  with  their  timeserver,  antivirus  server,  update  server, 
things  like  that.  There  are  several  periods  of  time  where  there  was 
connectivity  --  there  was  no  dates  at  all. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  161  for  Identification. 

MJ:  Yes. 

ATC [CPT  MORROW]:  I'm  showing  the  witness  what  is  marked 

Prosecution  Exhibit  161  for  Identification. 

Q.  Do  you  recognize  that  document? 

A.  Yes,  sir. 

Q.  And  what  is  it? 

A.  This  is  a  document  I  created  to  demonstrate  —  to  show  the 
dates  present  in  the  Centaur  logs  and  the  dates  that  are  missing  from 
the  Centaur  logs. 

Q.  Now,  when  you  say  a  date  is  present  in  the  Centaur  logs, 
what  do  you  mean  by  that? 

A.  That  means  that  on  that  date  something  —  there's  some  kind 
of  network  activity,  something. 

Q.  And  when  you  say  dates  missing,  what  does  that  mean? 

A.  There  was  no  activity  at  all. 

ATC[CPT  MORROW]:  Permission  to  publish.  Your  Honor. 
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MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court  and  the  witness.] 

Q.  Agent  Shaver,  I'm  going  to  show  you  Page  1  first  and  I  want 
to  talk  about  some  of  the  larger  gaps  you  observed.  What  was  the 
first  large  gap  you  observed  in  the  Centaur  logs? 

A.  November  —  November  20th  through  November  30th,  actually. 

Q.  Okay.  What  was  the  second  large  gap  you  observed  in  the 

log? 

A.  There  is  a  large  gap  in  December  as  well,  December  6th 
through  the  —  basically,  it  looks  like  the  end  of  December. 

Q.  Okay.  I'm  going  to  show  you  the  bottom  of  that  page, 
actually.  Again,  was  there  a  large  gap  —  I  know  you  can't  see  the 
very  top  here,  the  "dates  missing"  column,  but  was  there  a  large  gap 
in  April  as  well? 

A.  Yes,  sir. 

Q.  What  was  the  large  gap  there? 

A.  On  this  page  it  shows  April  2  through  April  9th  on  this 

page. 

Q.  I'm  going  to  show  you  Page  2.  Again,  it  looks  like  there 
was  sort  of  a  large  gap  in  April  as  well  towards  the  middle  to  the 
end  of  the  month.  Is  that  correct? 

A.  Yes,  sir. 
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ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

Prosecution  Exhibit  161  for  Identification  into  evidence. 

CDC[MR.  COOMBS]:  No  objection.  Your  Honor. 

MJ:  So  admitted.  May  I  see  it?  Prosecution  Exhibit  161  for 

Identification  is  admitted. 

Q.  Now,  I  want  to  transition  to  logs  collected  from  the 
Department  of  State.  Who  examined  the  logs  collected  from  the 
Department  of  State  for  CCIU? 

A.  I  did,  sir. 

Q.  And  how  many  sets  of  logs  were  collected? 

A.  There  were  two. 

Q.  And  what  were  the  logs? 

A.  One  was  a  set  of  logs  from  a  firewall  and  another  one  was 
from  a  web  server  hosting  the  Department  of  State  cables. 

Q.  What  is  a  firewall? 

A.  Sir,  that's  either  a  physical  device  for  a  piece  of 
software  that  limits  traffic,  allows  some  traffic  in  while 
disallowing  others. 

Q.  Why  do  organizations  use  firewalls  generally? 

A.  It's  for  security  measures,  to  make  sure  certain  computers 
are  authorized  to  communicate  from  certain  ports  such  as  like  a  web 
server,  port  80.  So  it's  only  allowed  port  80  in  instead  of  others. 

Q.  And  what  kind  of  information  do  firewall  logs  capture? 
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A.  Generally,  times  and  dates,  IP  address,  connecting  in  where 
they're  going,  things  like  that. 

Q.  Does  it  capture,  you  know,  like,  data  transferred,  what 
files  were  transferred,  anything  like  that? 

A.  It  could. 

Q.  It  could?  But  what  about  the  firewall  logs  collected  in 
this  case? 

A.  It  did  not.  It  just  showed  there's  a  connection  between 
the  remote  computer  —  in  this  case,  it  was  .22  or  .40  and  the 
Department  of  State  server. 

Q.  Now,  in  what  form  did  the  firewall  logs  come  to  you  in  this 

case? 

A.  They  came  to  me  in  PDF. 

Q.  And  what  did  you  do  with  those  PDFs? 

A.  I  converted  them  to  text  and  then  I  imported  them  into 
Excel  for  easy  review. 

Q.  Once  you  got  them  in  Excel,  I  assume  you  examined  those 
logs  at  that  point.  Is  that  correct? 

A.  Yes,  sir. 

Q.  Did  the  firewall  logs  demonstrate  any  pattern  that  you 
could  see? 
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1  A.  There  were  patterns,  sir.  Again,  I  could  not  tell  you  what 

2  was  transferred,  but  I  can  tell  you  like  number  of  connections  per 

3  day. 

4  ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

5  Prosecution  Exhibit  159  for  Identification.  I'm  handing  the  witness 

6  what's  been  marked  as  Prosecution  Exhibit  159  for  Identification. 

7  Q.  Do  you  recognize  that  document? 

8  A.  Yes,  sir. 

9  Q  What  is  it? 

10  A.  Sir,  this  is  a  document  I  created.  It  shows  the  summary  of 

11  the  source  IP,  either  .40  or  .22,  the  date  and  the  number  of 

12  connections,  the  log  entries. 


13 

Q. 

Number  of  connections  with  what? 

14 

A. 

The 

Department  of  State  server. 

15 

Q. 

The 

server  or  the  firewall? 

16 

A. 

This 

is  the  firewall  capturing. 

17  ATC [CPT  MORROW]:  Okay.  Your  Honor,  permission  to  publish. 

18  MJ:  Go  ahead. 

19  [There  was  a  brief  pause  while  the  assistant  trial  counsel  published 

20  the  exhibit  to  the  Court  and  the  witness.] 

21  Q.  Agent  Shaver,  let's  go  through  this.  What  was  the  large  — 

22  the  pattern  that  you  observed  in  the  firewall? 
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1  A.  From  the  beginning,  it  was  very  few  connections  and  then 

2  until  30  March  2010  the  IP  .22  downloaded,  or  excuse  me,  connected.  I 

3  apologize,  sir.  There  were  149,000  connections. 

4  Q.  On  30  March  from  the  .22? 

5  A.  Correct. 

6  Q.  Again,  going  down  through  April,  sort  of  the  same  type  of 

7  activity? 

8  A.  There  are  a  large  number  of  connections,  yes,  sir. 

9  Q.  Now,  I  see  between  the  last  date,  9  April  2010  and  3  May 

10  2010,  there's  sort  of  a  gap  there.  What  does  that  mean? 

11  A.  No  activity.  I  had  no  action,  no  activity  for  either  IP  at 

12  those  —  for  that  time  period. 

13  Q.  Now,  based  on  what  we  saw  on  the  Centaur  logs  for  the  April 

14  timeframe  and  then  what  we  are  now  seeing  in  the  Department  of  State 

15  firewall  logs,  what  does  that  tell  you? 

16  A.  Again,  like,  for  example,  8  April,  that  date  is  not  present 

17  in  Centaur,  but  it  is  present  here. 

18  Q.  But,  again,  you  observed  at  least  some  connections  for  some 

19  dates  in  Centaur  —  in  the  Centaur  logs? 

20  A.  Yes,  sir. 

21  MJ:  Before  you  remove  that,  let  me  just  ask  you  a  question.  So 

22  when  you're  looking  at,  for  example,  30  March  of  2010  the  computer 

23  with  the  address,  was  it  .22  or  .40? 
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1  WIT:  .22,  ma'am. 

2  MJ:  Are  you  saying  that  computer  went  to  the  Department  of 

3  State  website  that  amount  of  times? 

4  WIT:  The  firewall  log  shows  there  are  a  number  of  connections. 

5  The  issue  I  had  was,  I'm  not  exactly  sure  what  the  connections  mean. 

6  It  just  means  that  log  file  —  that  firewall  captured  that  149,000 

7  times.  That's  what  it  deemed  as  a  connection.  Is  that  individual 

8  file  being  downloaded  each  time?  I  don't  know.  I  could  just  say 

9  there's  a  connection  between  the  two  computers  that  many  times. 

10  MJ:  Let  me  ask  you  one  more  question.  If  somebody  was  to  have 

11  that  many  connections  on  one  day,  how  long  would  that  take? 

12  WIT:  Urn - 

13  ATC [CPT  MORROW]:  Actually,  Your  Honor,  I  can  ask  a  very 

14  specific  question  that  Agent  Shaver  can  speak  to. 

15  MJ:  Go  ahead. 

16  Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

17  Q.  On  30  March,  Agent  Shaver,  how  many  —  over  the  course  of 


18 

that  day. 

how  many  hours  between 

the  first 

connection  and  the  last 

19 

connection  on  that  day? 

20 

A. 

I  think  there  was  11  hours. 

21 

MJ: 

That  doesn't  answer  my 

question. 

Could  a  person  using  a 

22  computer  have  that  many  - 

23  WIT:  In  an  automated  process,  yes. 
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1  MJ:  Go  ahead. 

2  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

3  Prosecution  Exhibit  159  for  Identification  into  evidence. 

4  CDC [MR .  COOMBS]:  No  objection.  Your  Honor. 

5  MJ:  All  right.  Prosecution  Exhibit  159  for  Identification  is 

6  admitted. 

7  Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

8  Q.  Agent  Shaver,  let's  talk  about  the  Department  of  State 

9  server  logs.  What  kind  of  information  did  the  server  logs  capture? 

10  A.  Sir,  these  were  standard  Windows  log  files.  They  captured 

11  dates  and  times,  the  remote  IP  and  the  file  requested  and  things  like 

12  that. 

13  Q.  So  they  were  a  little  more  descriptive  than  the  firewall 

14  ones? 

15  A.  Yes,  sir. 

16  Q.  Now,  did  the  server  logs,  were  there  any  large  gaps  in  data 

17  that  you  that  came  to  you  when  you  did  the  examination  in  the  server 

18  logs? 

19  A.  The  server  logs  only  were  from  April  30th  until  June.  So 

20  anything  prior  to  April  30th,  there  were  no  log  files. 

21  Q.  Do  you  know  why  there  were  no  log  files  before  that  date? 

22  A.  No,  sir,  I  do  not. 

23  Q.  Now,  what,  if  anything,  did  you  observe  in  the  server  logs? 
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A.  There  was  a  large  number  of  downloads  on  3  May  using  the  — 
from  .22  using  the  Wget  utility. 

Q  Agent  Shaver,  I'm  going  to  ask  you  to  move  to  the  panel 
box,  please  and  I'm  going  to  retrieve  Prosecution  Exhibit  158  for 
Identification. 

TC [MAJ  FEIN]:  Could  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[There  was  a  brief  pause  while  the  trial  counsel  spoke  with  the 
assistant  trial  counsel . ] 

ATC[CPT  MORROW]:  Agent  Shaver,  could  you  move  back  to  the 

witness  box. 

Q.  I'm  handing  what's  been  marked  as  Prosecution  Exhibit  158 
for  Identification. 

A.  Yes,  sir. 

Q.  Do  you  recognize  the  document? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  This  is  one-page  of  the  log  files  for  the  Department  of 
State  server. 

Q.  Now,  when  you  say  one  page,  what's  the  number  at  the  bottom 
of  the  page? 

A.  This  is  Page  28  out  of  641. 


9154 


o 


o 


1  Q.  So  it  printed  the  activity  on  that  day  for  3  May  would  have 

2  been  641  pages? 


3 

A. 

Correct . 

4 

Q. 

Approximately  how  many 

lines  of  data. 

approximately? 

5 

A. 

17. 

6 

Q. 

On  that  page? 

7 

A. 

On  this  page,  yes. 

8 

Q. 

No,  I'm  talking  total. 

if  you  add  all 

641  pages,  how  many 

9  - 

10  A.  Thousands. 

11  Q.  an  you  describe,  in  general  terms,  sort  of  what  you're 

12  observing  in  those  logs  when  you  look  at  them? 

13  A.  Yes,  sir.  From  left  to  right  we  have  a  line  number.  Then 

14  we  have  the  remote  IP  which,  in  this  case  was  .22.  We  have  the  date 

15  and  time  of  the  file  being  downloaded.  In  this  case,  it's  May  3rd, 

16  2010,  and  then  we  have  the  files  being  downloaded.  In  this  case 

17  here.  Department  of  State  MRNs . 

18  Q.  And  you  said  something  about  Wget,  you  observed  Wget  in  the 

19  logs.  Can  you  explain  that,  please? 

20  A.  Yes,  sir.  Wget  was  the  tool  that  was  used  to  download  these 

21  files. 

22  Q  On  this  day.  May  3rd? 

23  A  Yes,  sir. 
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1  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

2  Prosecution  Exhibit  158  for  Identification  into  evidence. 

3  ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

4  MJ:  May  I  see  it  please?  Prosecution  Exhibit  158  for 

5  Identification  is  admitted. 

6  ATC [CPT  MORROW]:  We're  going  to  move  that  out  of  your  way 

7  first. 

8  [The  assistant  trial  counsel  retrieved  Prosecution  Exhibit  158  from 

9  the  witness . ] 

10  Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

11  Q.  I  want  to  move  back  to  computers  that  you  examined  in  this 

12  case. 

13  A.  Yes,  sir. 

14  Q.  Did  you  examine  any  NIPRNET  computers  collected  as  part  of 

15  this  investigation? 

16  A.  Yes,  sir,  I  did. 

17  Q.  What  did  you  examine? 

18  A.  I  examined  the  computer  —  NIPRNET  computer  ending  in  the 

19  address  .139,  which  was  a  NIPRNET  computer  in  the  common  area  of  the 

20  SCIF. 

21  Q.  Okay.  So,  let's  back  up.  When  you  say  .139,  what  are  you 

22  referring  to? 
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1  A.  I'm  referring  to  the  last  .text  of  the  IP  address.  The 

2  unit  identifier. 


3  Q. 

And  this  computer  was  collected  from  where? 

4  A. 

FOB  Hammer,  Iraq,  the  SCIF  itself. 

5  Q. 

And  did  PFC  Manning  have  a  user  account  on  this  computer? 

6  A. 

He  did. 

7  Q. 

What  was  that  user  account?  Do  you  recall? 

8  A. 

Bradley . Manning . 

9  Q. 

And  did  other  individuals  have  user  accounts  on  this 

10  computer? 


11  A. 

Yes,  sir. 

12  Q. 

And  you  said  it  was  a  common  area  computer? 

13  A. 

Yes,  sir. 

14  Q. 

Now,  was  this  computer  CAC  enabled,  so  Common  Access  Card 

15  Enabled? 


16  A. 

No,  sir,  it  was  not.  It  was  a  user  name  and  password  what 

17  had  to  be  used  to 


18  Q. 

And  when  a  user  logged  on  to  this  computer,  what  would 

19  happen? 


20  A. 

You'd  see  a  warning  banner,  sir. 

21  ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

22  Prosecution  Exhibit  156  for  Identification  now. 

23  MJ:  What's  the  number  of  that  one? 
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ATC [CPT  MORROW]:  156. 

Q.  Agent  Shaver,  I'm  handing  you  what's  been  marked  as 
Prosecution  Exhibit  156  for  Identification.  Do  you  recognize  that 
document? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  Sir,  this  is  the  document  I  created.  I  removed  --  This  is 
a  —  the  DoD  warning  banner  from  the  .139  computer.  I  removed  it  — 
copied  it  from  the  registry  file  and  put  it  in  a  Word  document. 

Q.  So,  that's  not  actually  how  it  would  appear  on  a  computer? 

A.  No. 

Q.  You  copied  that  over? 

A.  Correct.  This  is  just  the  text  of  it,  sir. 

Q.  And  when  you  copied  it  over  did  you  alter  in  any  way? 

A.  No,  sir. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

Prosecution  Exhibit  156  for  Identification  into  evidence. 

CDC [MR.  COOMBS]:  No  objection,  ma'am. 

MJ:  May  I  see  it  please?  Prosecution  Exhibit  156  for 

Identification  is  admitted. 

Q.  Agent  Shaver,  we'll  talk  about  SIPRNET  warning  banners 
later.  I  want  to  move  on  to  your  examination  of  this  computer.  Now, 
when  you  examined  this  computer,  what  exactly  did  you  examine? 
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A.  I  examined  an  image  of  the  computer  itself,  not  the 
computer. 

Q.  And  what  was  your  process  again  for  your  examination? 

A.  Sure.  The  image  was  checked  out.  I  verified  the 
acquisition  and  verification  hashes  matched.  I  made  a  working  copy 
and  I  did  my  examination  on  that. 

Q.  And  what  were  you  looking  for  on  this  computer? 

A.  Sir,  since  this  was  a  NIPRNET  computer.  I  wanted  to  see 
what  was  there  and  what  was  allocated,  the  files  and  internet  history 
and  things  like  that. 

Q.  All  right.  So  let's  talk  about  internet  history.  Where  do 
you  find  internet  history  on  a  computer? 

A.  Several  locations,  but  in  this  case  since  Internet  Explorer 
was  the  only  browser,  it  was  within  a  file  called  index.DAT. 

Q.  And  again,  what  does  index.DAT  capture? 

A.  It  captures  both  the  local  files  viewed  and  websites, 
access . 

Q.  What  do  you  mean  by  local  files  viewed? 

A.  Like  if  you  had  a  file  on  your  desktop,  you  could  —  and 

you  accessed  it,  it  would  capture  that  as  well. 

Q.  Now,  you  said  it  captured  websites  as  well.  Is  that 
correct? 

A.  Correct. 
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Q.  Did  it  capture  searches?  Searches  on,  like,  Google,  for 
example,  something  like  that? 

A.  It  would  have,  yes. 

Q.  And  what  kind  of  searches  did  the  Bradley . Manning  user 
account  conduct  that  you  observed? 

A.  There  were  several.  Things  for  like  Wget  was  one.  Bay 
64,  Excel  and  WikiLeaks  as  well. 

Q.  And  how  far  back  - 

MJ:  You  said  Bay  64? 

WIT:  Bay  64  and  Excel,  yes,  ma'am. 

Q.  Again,  for  the  Court,  Agent  Shaver,  what  is  Bay  64? 

A.  That's  an  encoding  mechanism  where  it  takes  text  and  you 
can  encode  it  into  XML  form.  It's  good  for  —  it's  used  for 
compression . 

Q.  And  if  you  would,  just  describe  where  you've  seen  Bay  64  — 
in  what  context  have  you  seen  Bay  64  on  the  SIPRNET  computers  you 
have  examined? 

A.  On  the  .22  computer,  there  was  a  common  separated  values, 
CSV  files,  of  Department  of  State  cables  which  had  been  converted  to 
Bay  64 . 

Q.  What  about  on  the  .40  computer? 
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A.  There  was  —  On  the  .40  computer,  within  the  allocated 
space,  there  was  one  CSV  file  containing  over  100,000  complete 
Department  of  State  cables  but  they  had  been  Bay  64  encoded. 

Q.  Now,  let's  go  to  the  internet  activity.  How  far  back  were 
you  able  to  see  activity  under  the  Bradley .Manning  user  account  on 
this  computer? 

A.  It  was  started  in  March  2010. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  157  for  Identification.  I'm  showing  it  to  the 
defense  counsel. 

Q.  I'm  showing  you  what  has  been  marked  as  Prosecution  Exhibit 
157  for  Identification. 

MJ:  Prosecution  Exhibit? 

ATC [CPT  MORROW]:  157.  I'm  handing  the  witness  what's  been 

marked  as  Prosecution  Exhibit  157  for  Identification. 

Q.  Agent  Shaver,  do  you  recognize  that  document? 

A.  Yes,  sir. 

Q.  What  is  this  document? 

A.  Sir,  this  is  a  document  I  created.  It  is  the  small  segment 
of  the  internet  history  from  the  index.DAT  file  of  the 
Bradley .Manning  user  profile. 

Q.  Now,  let  me  stop  you  there.  How  is  it  created?  So  it's 
not  the  entirety  of  the  index.DAT? 
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A.  No,  sir.  It's  a  very  small  segment. 

Q.  How  did  you  create  that  small  segment? 

A  I  converted  the  index.DAT  to  an  Excel  document. 

Q.  And  then  what  did  you  do? 

A.  I  filtered  on  the  keyword  Wget. 

ATC [CPT  MORROW]:  Your  Honor,  permission  to  publish? 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court  and  the  witness.] 

Q.  Agent  Shaver,  I  don't  want  to  go  through  the  whole  thing, 
but  I  want  to  go  through  a  couple  of  lines  of  information  here.  Can 
you  see  that? 

A.  Yes,  sir. 

Q.  Let's  talk  about  the  first  line.  Can  you  describe  the 
activity  you're  observing  now? 

A.  Yes,  sir.  Again,  the  line  number.  Number  1,  the  date  and 
time.  It  shows  the  Bradley .Manning  user  profile,  searched  Google  for 
the  keywords  "Wget"  and  "ampersand." 

Q.  And  how  does  an  ampersand  work  with  Wget? 

A.  It's  - 

Q.  What ' &  —  Why  would  those  two  be  connected  in  some  way? 

A.  Then  you  get  a  command  line  tool.  There  is  a  lot  of 
switches  and  a  lot  of  choices  —  you  can  tell  it  to  do  a  lot  of 
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things.  The  ampersand  sign  in  this  case,  it  would  help  it  run  a 
little  quicker  to  download  the  files. 

Q.  Now,  let's  move  down  to  --  Now,  Line  1  is  just  a  search  of 
the  Internet,  Wget  and  ampersand? 

A.  Correct. 

Q.  Let's  look  at  Line  9. 

A.  Yes,  sir. 

Q.  What  is  that  activity? 

A.  That's  on  27  March  2010,  and  that's  the  file  Wget.exe  being 
downloaded  from  the  website. 

Q.  And  now  let's  move  to  Line  15. 

A.  Yes,  sir. 

Q.  Again,  what's  the  activity  you  are  observing? 

A.  On  May  3rd,  2010,  again,  the  Bradley .Manning  user  profiles, 
someone  is  downloading  Wget.exe  again. 

Q.  Again,  let's  —  so  I  can  circle  back  here.  The  first  line 
at  least  in  this  is  3  March  or  7  March  2010? 

A.  Correct. 

Q.  Again,  what  was  the  —  how  much  internet  activity  were  you 
actually  able  to  observe  on  the  index.DAT  file  on  this  computer? 
Anything  before  7  March  2010? 

A.  No,  sir. 
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ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

Prosecution  Exhibit  157  for  Identification  into  evidence. 

ADC [CPT  TOOMAN] :  No  objection.  Your  Honor. 

MJ:  Prosecution  Exhibit  157  for  Identification  is  admitted. 

Questions  continued  by  the  assistant  trial  counsel  [CPT  MORROW] : 

Q.  Now,  you  say  the  user,  the  Bradley . Manning  user  downloaded 
Wget  on  3  May  2010.  Is  that  correct? 

A.  Correct. 

Q.  At  least  from  what  you  observed  in  the  Internet  Explorer? 

A.  Yes,  sir. 

Q.  Now,  did  you  observe  Wget  being  used  from  this  computer? 

A.  No,  sir. 

Q.  In  the  course  of  this  investigation,  have  you  seen  evidence 
that  Wget  was  present  on  other  computers? 

A.  Yes,  sir. 

Q.  And  what  other  computers? 

A.  On  .22,  sir. 

Q.  Now,  did  you  see  any  evidence  that  the  Wget  file  downloaded 
on  this  NIPRNET  computer  was  moved  to  the  .22  computer? 

A.  Yes,  sir. 

Q.  Can  you  explain  that,  please? 
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A.  Yes,  sir.  Again,  I  did  the  hash  value  of  the  file  being  on 
the  Wget  file  on  the  .139  computer  matched  exactly  the  same  file 
within  the  Bradley . Manning  user  profile  on  .22. 

Q.  And  could  you  tell  on  .22  when  that  movement  occurred,  when 
that  file  was  created  on  that  computer,  SIPRNET  computer? 

A.  It  was  shortly  —  It  was  a  few  hours  afterwards  created  on 
.139.  So  I  believe  .39  was  almost  2000  hours  and  just  a  few  hours 
later  it  was  on  .22. 

Q.  Agent  Shaver,  I  want  to  go  back  to  the  .22  computer  and  tie 
up  a  few  lose  ends.  I  mentioned  warning  banners  earlier.  Now,  were 
the  SIPRNET  computers  CAC  Enabled? 

A.  No,  sir. 

Q.  And  how  did  a  user  log  on  the  SIPRNET? 

A.  User  name  and  password. 

Q.  And  how  do  you  know  that? 

A.  I  converted  the  computer  into  a  virtual  machine  and  booted 
it  up  and  it  asked  me  for  a  user  name  and  password. 

ATC [CPT  MORROW]:  I'm  retrieving  what  has  been  marked  as 

Prosecution  Exhibit  155  for  Identification.  I'm  showing  the  defense 
counsel.  I  am  handing  the  witness  what’s  been  marked  as  Prosecution 
Exhibit  155  for  Identification. 

Q.  Do  you  recognize  that  document? 

A.  Yes,  sir. 
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Q.  And  what  is  it? 

A.  This  is  a  document  I  created  and  from  within  .22  I  went  to 
the  register  file  and  removed  the  —  copied  out  the  warning  banner 
and  placed  it  on  the  support  document . 

Q.  So  when  you  copied  out  the  warning  banner  from  the  registry 
file  on  the  .22  computer  and  you  copied  it  over  to  a  Word  document, 
did  you  alter  the  information  in  any  way? 

A.  No,  sir. 

ATC [CPT  MORROW]:  The  prosecution  moves  to  admit  Prosecution 

Exhibit  155  for  Identification  into  evidence. 

ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

MJ:  May  I  see  it  please?  Prosecution  Exhibit  155  for 

Identification  is  admitted. 

Q.  Agent  Shaver,  I  want  to  talk  again  about  —  there's  been 
some  confusion  in  this  case  about  the  settings  for  internet  browsers. 
Again,  I  want  to  talk  specifically  about  the  Mozilla  Firefox  web 
browser.  What  is  that? 

A.  It's  a  web  browser,  sir. 

Q.  And  how  does  a  user  use  the  web  browser?  How  is  it 
utilized  by  someone,  sir?  This  isn't  a  trick  question. 

A.  Yes,  sir.  You  would  double-click  on  the  icon,  it  would 
open  up  and  it  goes  to  your  homepage  and  then  you  would  surf  the  web. 
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Q.  And  do  web  browsers  store  information  when  you  click  open 
and  search  the  web? 

A.  By  default.  In  this  case,  Firefox,  by  default,  it  does 
save  that  information. 

Q.  So  by  default,  Firefox  saves  Internet  Explorer  or  Internet 
web  browsing  history? 

A.  Correct. 

Q.  When  you  examined  the  .22  computer,  you  looked  at  the 
Firefox  web  browser,  correct? 

A.  Correct. 

Q.  How  was  that  web  browser  configured? 

A.  Within  the  Bradley .Manning  user  profile,  that  profile  had 
been  configured  to  —  to  turn  private  browser  mode  on  so  it  would  not 
obtain  any  history.  But  other  users  on  the  .22  computer  also  had 
Firefox,  but  those  computers  —  those  profiles  were  not  configured 
that  way.  They  were  configured  the  default  way  or  history  would  be 
maintained. 

Q.  Now,  in  order  to  —  so  essentially  what  I'm  hearing  is 
private  browsing  has  to  be  enabled  by  a  user,  it's  not  something  that 
is  the  normal  protocol  for  the  web  browser? 

A.  Correct. 

Q.  One  moment.  Your  Honor.  Are  you  familiar  with  a  video 
called  Collateral  Murder? 
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A.  Yes,  sir. 

Q.  And  where  have  you  seen  that  video  in  this  case? 

A.  Within  the  Bradley .Manning  user  profile,  that  video  was 
present . 

Q.  Can  you  explain  that,  please?  You  said  within  the 
Bradley .Manning  user  profile.  Just  a  little  more  specificity  if  you 
could 

A.  Yes,  sir.  Within  the  profile,  there's  a  folder  called 
videos . 

MJ:  In  which  computer? 

WIT:  I'm  sorry.  Thank  you,  ma'am.  On  .22  within  the 
Bradley .Manning  use  profile,  my  documents,  videos,  there  was,  I 
think,  another  folder  called  Sane  and  that's  where  that  video  was 
present,  was  allocated  there. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  165  for  Identification.  I'm  handing  the  witness 
what's  been  marked  as  Prosecution  Exhibit  165  for  Identification. 

Q.  Do  you  recognize  that  document? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  This  is  a  screen  shot  of  the  EnCase  program,  but  it's 
showing  the  videos,  several  videos. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor? 
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MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court  and  the  witness.] 

Q.  Now,  when  I  ask  you  whether  you  had  seen  the  Collateral 
Murder  video,  what  video  are  you  referring  to? 

A.  The  bottom  one,  OSC_YouTube-CM. wmv. 

Q.  And  approximately  how  long  is  that  video? 

A  It's  about  17  minutes. 

Q.  Can  you  describe  —  you  watched  the  video,  I  assume? 

A.  Yes,  sir. 

Q.  Can  you  describe,  generally,  what  it  depicted? 

A.  Yes,  sir.  It  starts  with  an  Orwellian  quote  and  then  it 
shows,  basically,  a  battle  scene  in  Iraq  and  with  a  commenting,  sub¬ 
text  pointing  things  out  with  arrows,  things  like  that. 

Q.  And  when  was  that  file  created  on  the  computer?  When  did 
that  file  appear  on  the  computer? 

A.  12  April  2010. 

Q.  And  what  does  that  mean  essentially? 

A.  That  file  was  copied  there  on  that  time  and  date. 

Q.  And  let's  look  at  the  middle  line  of  this  screen  shot.  What 
is  the  —  Have  you  watched  that  video  before,  the  12  July  CD 
Engagement  Zone? 

A.  I  have. 
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Q.  And  did  you  compare  that  file  to  the  OSC_YouTube-cm? 

A.  I  did. 

Q.  And  what  was  the  result  of  that? 

A.  The  12  July  07  CZ  movie,  that  appears  to  be  the  source. 

It's  a  much  longer  video  and  it  appears  to  be  from  military  aircraft. 
The  source  of  the  movie  for  the  OSC  YouTube  movie. 

ATC [CPT  MORROW]:  Prosecution  moves  to  admit  Prosecution 

Exhibit  165  for  Identification  into  evidence. 

ADC [CPT  TOOMAN] :  No  objection,  ma'am. 

ATC [CPT  MORROW]:  And  - 

MJ:  Prosecution  Exhibit  165  for  Identification  is  admitted. 

ATC [CPT  MORROW]:  And  I'm  retrieving  what's  been  marked  as 

Prosecution  Exhibit  168  for  Identification. 

Q.  Agent  Shaver,  I'm  handing  you  what's  been  marked  as 
Prosecution  Exhibit  168  for  Identification.  Now,  what  is  that? 

A.  It's  a  CD,  sir. 

Q.  Have  you  looked  at  that  CD? 

A.  Yes,  sir,  I  have. 

Q.  What  is  on  the  CD? 

A.  It's  a  movie  OSC_YouTube-CM. wmv. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

Prosecution  Exhibit  168  for  Identification  into  evidence. 

ADC [CPT  TOOMAN]:  No  objection,  ma'am. 
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MJ:  Can  I  see  it,  please?  Prosecution  Exhibit  168  for 

Identification  is  admitted. 

ATC [CPT  MORROW]:  For  the  remainder  of  Agent  Shaver's 

testimony,  the  government  is  going  to  request  a  closed  session.  I 
don't  know  whether  defense  wants  to  cross  at  this  point. 

MJ:  You  want  to  cross-examine  Agent  Shaver  right  now? 

ADC [CPT  TOOMAN] :  Yes,  ma'am. 

MJ:  Why  don't  we  go  ahead  and  do  that. 

ADC [CPT  TOOMAN]:  Thank  you. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  Tooman] : 

Q.  Good  afternoon. 

A.  Good  afternoon,  sir. 

Q.  Agent  Shaver,  you  spoke  first  about  Centaur  logs? 

A.  Yes,  sir. 

Q.  So  let's  focus  on  that.  Now,  you  talked  about  a  number  of 
gaps  in  those  logs,  correct? 

A.  Yes,  sir. 

Q.  So  when  there  is  a  gap  in  the  logs,  you  don't  see  any 
activity? 

A.  Correct. 

Q.  Now,  is  it  possible  that  when  there's  a  gap  in  the  log  that 
could  be  because  the  SIPRNET  was  down? 
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A.  The  entire  SIPRNET? 

Q.  Or  a  particular  user's  access  to  SIPRNET? 

A.  Sure. 

Q.  Okay.  And  if  that  were  the  case,  the  user  wouldn't  have 
the  ability  to  transfer  any  data? 

A.  Correct. 

Q.  And  if  a  user  didn't  have  SIPRNET  access,  again.  Centaur 
logs  wouldn't  catch  anything,  correct? 

A.  No. 

Q.  And  they  wouldn't  be  able  to  do  anything  with  their  SIPRNET 
machine? 

A.  Yes,  sir. 

Q.  Now,  with  respect  to  the  Centaur  logs,  there  was  no 
activity  in  November  of  2009  that  was  large  enough  to  have 
transferred  a  video,  correct? 

A.  Correct. 

Q.  The  same  is  true  in  December  of  2009? 

A.  Correct. 

Q.  Now,  let's  transition  to  the  Department  of  State  firewall 
logs  you  spoke  about? 

A.  Yes,  sir. 

Q.  Now,  a  firewall  would  stop  an  individual  who  doesn't  have 
access,  correct?  ' 
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A.  Correct. 

Q.  So  if  a  user  has  access  to  the  Department  of  State  server, 
the  firewall  is  going  to  let  him  through? 

A.  Correct. 

Q.  And  if  they  don't  have  access,  the  firewall  is  going  to 
stop  them? 

A.  Correct. 

Q.  Now,  those  firewall  logs  were  pretty  bare  bones,  weren't 

they? 

A.  Yes,  sir. 

Q.  All  they  really  captured  were  a  date  and  a  time? 

A.  And  a  number  connection,  yes,  sir. 

Q.  So  you  get  a  date  and  a  time? 

A.  Yes.  Q  You  get  a  number  of  connections  and  you'd  get  the 
source  IP? 

A.  Correct. 

Q.  And  the  destination  IP? 

A.  Correct. 

Q.  And  the  Department  of  State  left  a  lot  on  the  table  as  far 
as  the  other  data  they  could  have  captured,  correct? 

A.  Left  a  lot? 

Q.  The  firewall  log  could  have  captured  more  data? 
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A.  I'm  not  sure  about  that  firewall,  but  other  firewalls  could 

have . 

Q.  Okay.  What  other  types  of  information  can  firewall  logs 
catch? 

A.  They  capture  lots  of  things,  like  files  transfer,  amount  of 
data  transferred,  things  like  that. 

Q.  And  the  Department  of  State  firewalls  logs  weren't  set  up 
to  do  that? 

A.  No,  sir. 

Q.  Now,  you  spoke  about  the  number  of  connections  between  the 
.22  and  .40  machine  and  the  Department  of  State  servers  and  you 
talked  about  one  where  there  was  —  one  day  where  there  were  a  lot  of 
connections,  149,0000  connections? 

A.  Yes,  sir. 

Q.  Now,  is  it  possible  that  some  of  those  connections  were 
failed  connections,  there  was  an  attempt  and  then,  ultimately, 
nothing  happened? 

A.  It  is  possible. 

Q.  Now,  if  one  were  to  automate  that  process  of  connecting  to 
a  server,  how  long  would  those  149,000  connections  take? 

A.  Not  very  long.  It  depends  on  the  automation  method. 

Q.  Okay.  Would  it  also  depend  on  whether  or  not  data  was 
being  transferred? 
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A.  Yes,  and,  of  course,  you  have  to  worry  about  your  network 
speed,  where  you  are  in  the  world,  are  there  other  issues. 

Q.  So  it's  possible  that  149,000  connections,  while  a  big 
number,  could  have  happen  very  quickly? 

A.  Yes. 

Q.  And  it's  also  possible  that  while  those  connections  are 
happening,  the  user  of  the  source  IP  —  use  of  the  source  IP  is  doing 
other  things? 

A.  Correct. 

Q.  Let's  switch  to  the  NIPR  computer. 

A.  Yes,  sir. 

Q.  the  .139  computer.  Now,  you  mentioned  that  there  was  no 
activity  before  March  on  that  computer.  Is  that  right? 

A.  For  that  profile,  yes. 

Q.  Okay,  for  that  profile.  Do  you  know  why  that  was? 

A.  No,  sir. 

Q.  Do  you  know  if  that  particular  machine  had  been  reimaged 
at  all? 


A.  I  do  not  recall. 

Q.  Do  you  know  if  that  particular  machine  had  been  wiped? 

A.  No,  sir,  not  to  my  knowledge. 

Q.  Do  you  know  if  that  particular  machine  had  the  operating 
system  reinstalled? 
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A.  No,  sir.  I'm  sorry,  I  do  not. 

Q.  Now,  in  your  review  of  that  machine,  the  NIPR  machine,  did 
you  find  any  evidence  of  the  WikiLeaks  most  wanted  list  on  that 
computer? 

A.  No,  sir,  I  did  not. 

Q.  And  on  that  NIRP  machine,  where  was  that  physically 
located? 

A.  I  was  told  it  was  in  the  SCIF  in  the  common  area. 

Q.  So  out  in  the  open? 

A.  Yes,  sir. 

Q.  Where  people  would  be  walking  by? 

A.  Presumably  so,  yes,  sir. 

Q.  Now,  you  spoke  about  web  browsers  and  browsing  history? 

A.  Yes,  sir. 

Q.  Are  you  aware  of  any  restrictions  on  setting  your  computer 
up  to  do  private  browsing? 

A.  On  the  Army  computers  for  Internet  Explorer,  that  was  not  a 
option.  But  I  don't  know  of  any  prohibitions  from  it  for  other 
browsers . 

ADC [CPT  TOOMAN] :  One  moment  please.  Your  Honor.  That's  all. 

MJ:  Thank  you.  Redirect? 

ATC [CPT  MORROW]:  No,  Your  Honor. 

MJ:  Agent  Shaver,  I  have  a  couple  of  questions. 
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EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge? 

Q.  I  just  want  to  make  sure  I  understood  your  answer  to  the 
last  question.  Are  you  saying  that  on  the  NIPR  computer  a  user 
couldn't  do  private  browsing? 

A.  Correct,  ma'am.  The  NIPRNET  computer  .139  only  had  the 
Internet  Explorer  browser  and  that  feature  for  private  browsing  was 
not  available  for  a  user. 

Q.  Oh,  so  when  you're  talking  about  private  browsing,  you're 
talking  about  the  Internet  history,  not  browsing  for  personal 
reasons? 

A.  Correct. 

Q.  I  misunderstood  you.  Give  me  a  second. 

A.  Yes,  ma'am. 

Q.  I  believe  you  testified  earlier  that  you  saw  the  Wget 
downloaded  from  the  .139  computer  and  then  several  hours  later  saw  it 
on  the  .22  computer? 

A.  Correct. 

Q.  What  are  possible  ways  that  a  user  could  transfer  a  Wget 
program  from  the  .139  computer  to  the  .22  computer? 

A.  Most  logical  is  burn  a  CD. 

Q.  Do  SIPRNET  computers  like  .22,  just  regular  CDs  that  go  on 
NIPRNET  computers,  they  take  the  same  kinds  of  CDs? 
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A.  Yes,  ma'am. 

Q.  We  spoke  earlier  that  149,000  connections  could  happen 
quickly.  Now,  is  that  for  any  user  or  a  user  using  some  special 
automated  program? 

A.  It  would  appear  just  a  volume.  It  was  some  kind  of 
automated  tool,  something  that  made  a  repetitive  task  fast. 

Q.  If  a  user  did  not  have  an  automated  tool,  could  a  user  make 
149,000  connections  in  one  day? 

A.  Maybe  if  they're  really  dedicated,  ma'am.  They  would  be 
clicking  a  lot. 

Q.  On  the  Centaur  logs  where  there  was  no  activity  --  was 
there  no  activity  —  did  you  look  and  see  if  there  were  activities  to 
the  computer  on  the  day  or  the  nightshift? 

A.  There  was  no  activity  at  all. 

Q.  No  activity  at  all? 

A.  Correct. 

A.  Did  you  look  at  whether  there  was  activity  on  the  day 
versus  the  nightshift? 

A.  It  would  just  show  up  as  activity  as  in  a  day.  So  if  there 
was  activity,  you  would  have  to  look  at  the  times  to  determine,  but 
we  just  said  show  everything  you  have  for  —  everything  you  had  for 
the  entire  time  period.  And  this  is  what  they  gave  us.  So  if  it  was 
there,  it  would  be  there.  It  was  both  day  or  nightshift. 
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Q. 

And  I  believe  you  answered  in  response  to  a  defense 

question 

of  one  thing  that  could  cause  a  gap  in  the  Centaur  logs 

would  be 

that  the  user's  SIPR  was  down. 

A. 

SIPRNET  was  down,  if  there's  a  network  issue,  yes,  ma'am. 

Q. 

What  other  possible  causes  could  there  be? 

A. 

The  Centaur  failed.  Again,  big  network  issues. 

Q- 

And  then  the  139  NIPR  you  testified  there  was  no  activity 

before  March  of  2010  for  the  Bradley . Manning  user  profile? 


A. 

Correct . 

Q. 

Did  you  see  if  there  was  activity  before  March  for  any  of 

the  other  user  profiles? 


A. 

I  don't  recall,  ma'am. 

MJ: 

Any  follow  up  based  on  mine? 

ATC [CPT  MORROW]:  One  more  question.  Your  Honor. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  MORROW] : 

Q.  Agent  Shaver,  you  talked  to  me  about  a  number  of  reasons 
for  gaps  in  the  Centaur  data.  But  based  on  your  analysis  of  all  the 
information  you've  seen  in  the  case,  all  the  logging  information. 
Department  of  State  logs,  IntelLink  logs,  et  cetera,  what  is  the  most 
likely  reason  for  the  gap  in  Centaur  data? 

A.  The  Centaur  failed. 

ATC [CPT  MORROW]:  Thank  you. 
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RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Now,  Agent  Shaver,  you  talked  about  -  we've  talked  about 
private  browser  and  Internet  Explorer.  Now,  on  the  NIRP  machine,  the 
only  web  browser  on  that  was  Internet  Explorer,  correct? 

A.  Yes. 

Q.  On  other  machines,  the  .22  machine  or  the  .40  machine 
there's  Firefox? 

A.  Correct. 

Q.  And  in  Firefox  one  of  the  options  is  private  browsing? 

A.  Correct. 

Q.  And  that's  not  an  option  with  Internet  Explorer? 

Not  in  that  version,  correct. 

But  when  it  is  an  option,  there's  nothing  that  would 
prevent  a  user  from  employing  private  browsing,  correct? 

A.  I  don't  know  how  the  Army  does  it  now,  but  at  that  time 
that  feature  was  not  available.  So  it  was  an  older  browser.  I  don't 
know - 


A. 

Q. 


MJ:  Are  you  speaking  of  Internet  Explorer  or  Firefox? 

WIT:  Yes,  ma'am.  Internet  Explorer,  it  was  an  older  browser 
version  and  I  don't  believe  that  was  a  present  as  an  option. 

Q.  Let  me  clarify.  The  Firefox  on  those  computers,  private 
browsing  was  an  option  within  Firefox? 
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A.  Yes. 

Q.  And  there  was  nothing  that  would  have  prevented  a  user  from 
employing  private  browsing  on  Firefox? 

A.  That  is  correct. 

Q.  Now,  you  talked  about  Wget  and  how  it  would  have  gotten  on 
the  .22  machine.  When  it  was  put  on  the  22  machine,  it  was  put  on 
there  as  an  executable  file,  correct? 

A.  Correct. 

Q.  So  that  means  it  wouldn't  have  gone  into  the  program  list? 

A.  It  could  have. 

Q.  How  would  a  user  get  into  the  program  list? 

A.  You  would  need  administrative  privileges  to  put  it  there. 

Q.  So  if  it  wasn't  in  the  program  list  —  well,  you  would 
needed  administrative  privileges  to  do  that? 

A.  To  put  it  there,  yes. 

Q.  So  if  you  wouldn't  have  —  if  a  person  didn't  have 
administrative  rights,  they  would  pretty  much  have  to  put  it  on  their 
desktop? 

A.  Correct. 

Q.  Or  they  could  run  it  from  the  disk? 

A.  Correct. 

Q.  And  you  don't  know  whether  or  not  that  process  was 
authorized  within  the  S-2  section  of  2-10  Mountain? 
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A.  I'm  sorry? 

Q.  The  process  of  placing  an  executable  file  on  the  desktop? 

A.  No,  sir.  I  have  no  knowledge  of  that. 

Q.  Now,  you  testified  that  in  all  likelihood  the  gaps  in  the 
Centaur  logs  would  have  been  caused  by  Centaur  itself  just  being 
down? 

A.  Correct. 

Q.  So  that  wouldn't  have  anything  to  with  any  action  by  PFC 
Manning? 

A.  Correct. 

ATC [CPT  MORROW]:  Thank  you.  Agent  Shaver. 

WIT:  Yes,  sir. 

MJ:  Let  me  ask  one  follow  up  based  on  that  to  make  sure  I 

understand  your  testimony. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  So  the  Wget ,  to  be  on  the  SIPR  computer,  when  does  it 
require  administrative  privileges? 

A.  To  run  it,  you  don't  need  that.  You  don't  have  to  have 
administrative  privileges  to  run  it.  But  if  you  were  going  to  put  it 
in  the  common  area,  the  program  files  where  all  the  other  programs 
such  as  Office  reside,  you  need  a  privilege  to  put  a  file  there. 

Q.  So  a  user  could  run  Wget  on  his  computer  by  CD  or  desktop? 
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A.  Correct. 

MJ:  Any  follow  up  based  on  that? 

ATC [CPT  MORROW]:  No,  Your  Honor. 

ADC [OPT  TOOMAN] :  No,  ma'am. 

MJ:  All  right.  Are  we  ready  to  move  into  closed  session? 

TC [MAJ  FEIN]:  Yes,  ma'am.  The  United  States  requests  the  Court 
for  a  closed  session  pursuant  to  the  Court's  previous  order  what  has 
been  marked  as  Appellate  Exhibit  550.  The  Court  is  ordered  to  close 
certain  proceedings  dated  21  May  2013,  to  elicit  very  specific 
testimony  from  Special  Agent  Shaver  in  reference  to  Specification  3 
of  Charge  II  and  only  Specification  3  of  Charge  II. 

MJ:  Approximately  how  long  does  the  government  anticipate  this 

session  will  last? 

TC [MAJ  FEIN]:  Your  Honor,  the  government's  case  and  the 
defense' s  case  and  any  questions  from  the  Court,  no  more  than  max  30 
minutes.  Likely,  less  time. 

MJ:  All  right.  Will  you  need  a  recess  to  put  any  measures  in 

place? 

TC [MAJ  FEIN]:  Yes,  ma'am.  The  United  States  requests  a  20- 
minute  recess  in  order  to  institute  the  correct  measures,  swap  out 
the  court  reporter  equipment. 

MJ:  All  right.  Is  there  anything  else  that  we  need  to  address 

before  we  have  the  recess? 
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TC [MAJ  FEIN]:  No,  ma'am. 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  All  right.  Members  of  the  gallery  and  the  public,  the  court 

is  going  to  close  this  portion  of  the  trial  pursuant  to  the  Court's 
earlier  findings  under  Rule  for  Court-Martial  806.  We  are  also  going 
to  have  a  brief  reopening  of  the  public  portion  of  the  trial  after 
the  closed  session.  Based  on  what  Major  Fein  has  proffered  to  me, 

I'm  thinking  that's  going  to  take  place  roughly  around  4:00  o'clock 
or  1600.  Does  that  sound  about  right? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  All  right.  We  may  need  to  be  a  little  bit  flexible.  I 

can't  say  with  actual  precision  when  it's  going  to  occur,  but  that's 
going  to  be  the  target  range.  So  court  is  in  recession  for  20 
minutes . 

[The  court-martial  recessed  for  a  closed  session  hearing  at  1454,  26 
June  2013.] 

[END  OF  PAGE] 
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1  [The  court-martial  was  called  to  order  at  1507,  26  June  2013.] 

2  MJ:  Court  is  called  to  order.  We  are  in  closed  session, 

3  however  there  are  people  in  the  gallery.  It  is — and  the  witness  is 

4  hack  on  the  witness  stand.  Major  Fein,  would  you  like  to  describe, 

5  for  the  record,  who  is  here? 

6  TC [MAJ  FEIN]:  Yes,  ma'am.  Ma'am,  all  parties  when  the  court 

7  last  recessed  are  again  present,  including  the  Court’s  paralegal,  the 

8  bailiff,  Mr.  Prather,  the  defense  security  experts,  military  police, 

9  U.S.  government  officials,  and  the  defense — or,  excuse  me,  the 

10  prosecution  security  expert  and  paralegal.  Also,  this  session  is 

11  classified  at  the  SECRET:  level .  And,  prior  to  this  session 

12  beginning,  the  court  security  officer  filled  out  the  checklist  which 

13  will  be  filed  with  the  allied  papers  with  the  Court — or  in  the 

14  record,  excuse  me. 

15  MJ:  All  right.  Before  we  begin,  let  me  ask  a  question. 

16  Obviously,  my  NIPR  computer  is  not  present  and  I  normally  take  notes 

17  via  automation,  so  I  now  have  a  white  pad  for  notes.  What  is  the 

18  current  plan  for  my  notes?  How  wiil  they  be  marked  if  necessary? 

19  TC [MAJ  FEIN]:  Yes,  ma'am,  the  court  security  officer  will 

20  control  your  notes,  Your  Honor— the  Court's  notes  and  be  able  to  have 

21  them  reviewed  as  necessary  to  ensure  that,  if  there  is  classified 

22  information,  -it  is  properly  marked  and  if  there  is  not,  then  to 
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1  notify  the  Court  so  the  Court  can — you  may  use  your  notes  freely  on 

2  your  NIPR  machine. 

3  MJ:  All  right.  And  I  assume  both  sides — their  security 

4  officers  have  a  procedure  in  place  to  ensure  that  vour  written  work 

5  product  has  the  same  procedural  reviews? 

6  ADC [CPT  TOOMAN] :  Yes,  ma'am. 

7  TC [MAJ  FEIN]:  Yes,  ma'am. 

8  MJ:  Is  there  anything  else  we  need  to  address  before  we 

9  proceed? 

10  TC [MAJ  FEIN]:  No,  ma'am. 

11  ATC [CPT  MORROW]:  No,  Your  Honor.  I  just  want  to  make  the  court 

12  aware  I'm  going  to  ask  a  number  of  foundational  questions  that  we'll 

13  repeat  when  we're— I'll  repeat  from  when  we  were  in  open  session  just 

14  so  that  it  will  be  the  same — that  everyone  will  understand  where  I'm 

15  going,  essentially. 

16  MJ:  All  right.  And,  once  again.  Government,  you  have  a 

17  position — a  system  in  place,  now,  for  doing  a  transcript  and  a 

18  classified  review  of  this  session  pursuant  to - 

19  TC [MAJ  FEIN] :  Yes,  ma'am,  and - 

20  MJ:  - the  plan  you  presented  me? 

21  TC [MAJ  FEIN]:  Yes,  ma'am,  and  when  we  go  into  open  session,  the 

22  United  States  will  offer  to  repeat  that  plan  on  the  open  session. 
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MJ:  All  right. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  MORROW]  : 

Q.  Agent  Shaver,  I'd  like  to  discuss  log  files  collected  from 
the  Central  Intelligence  Agency.  Did  you  examine  those  log  files? 

A.  Yes,  sir,  I  did. 

Q.  And  what  exactly  was  collected  by  CCIU? 

A.  There  was  two  sets  of  log  files;  one  for  the  Open  Source 
Center  and  one  for  the 

Q.  And  let's — in  this  session,  let's  talk  about  the. 

log  files.  Do  you  recall  whether  PFC  Manning  had 
an  account  that  would  have  allowed  him  access  to  the 
> 

A.  Yes,  sir,  he  did. 

Q.  And  what  was  that  account  name? 

A.  It  was  "bradley. e. manning. " 

Q.  And  what  kind  of  information  was  captured  in  the 
audit  log  files? 

A.  Dates  and  times,  user  account,  the  IP  address,  files 
requested  files  viewed. 

Q.  And  when  you  say,  "files  viewed,"  did  it  have  the  file 
name?  How  was  the  file — do  you-' - 

3 
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A.  It - 

,Q.  - how  does  it  appear  in  the  log  files? 

A.  It  would  say,  "File  viewed"  and  have  the  file  name. 

Q.  I'm  retrieving  what's  been  marked  as  Prosecution  Exhibits 
166  and  167  for  identification.  I'm  showing  the  defense  counsel. 
I'm  handing  the  witness  what's  been  marked  as  Prosecution  Exhibits 
166  and  167  for  identification.  Can  you  take  a  look  at  those, 
please? 


9 

10 

11 

12 

13 
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15 
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17 
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A.  [Examining  PE  166  and  167  for  ID.]  Yes,  sir, 

Q.  Now,  do  you  recognize  those  documents? 

A.  Yes,  sir,'  I  do. 

Q.  And  what  are  they? 

A.  They' re  i 

ATC[CPT  MORROW] :  Permission  to  publish.  Your  Honor? 

MJ:  Go  ahead. 

[The  assistant  trial  counsel  published  PE  167  for  identification  on 
the  overhead. ] 

Q.  Agent  Shaver,  I'm  just  going  to  show  you  the  first  page  of 
the  document  that  was  marked  "Confidential." 

MJ:  And  that's  Prosecution  Exhibit — what? 
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1  ATCtCPT  MORROW]:  That  is  Prosecution  Exhibit  167  for 

2  identification. 

3  [Examination  of  the  witness  continued.] 

4'  Q.  So,  Agent  Shaver,  you  said  you— the  file  that  was  viewed  in 

5  the  log  files  had  a  title  or  something  or  at  least  had  a  name.  Can 

6  you  describe  that,  please? 

7  A.  Yes,  Sit,  it  was  a  series  of  letters  and  numbers,  but  it 

8  wasn't,  like,  a  common  name  like,  in  this  case,  like 

9  I  ; it  was  a  bunch  of  numbers. 

10  Q.  Okay.  And  what  is  the  title  of  this  document? 

11  A. 

12  j 

13  Q.  Now,  did  you  see — did  you  observe  the  user  account 

14  associated  with  PFC  Manning  access  this  document  on  the 

15  A.  Yes,  sir. 

16  MJ:  And  what — approximately  what  time  frame,  do  you  recall? 

17  A.  No,  sir,  I  don't;  it  was  March  2010. 

18  ATC [CPT  MORROW]:  Okay.  I'm  now  publishing  what's  been  marked 

19  as  Prosecution  Exhibit  166  for  identification. 

20  Q.  And  what's  the  title  of  this  document? 

21  A. 

22 

5 
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Q.  And,  again,  when  you — did  you  see  this  document  accessed  in 
the |  logs? 

A.  I  did,  sir. 

Q.  And  how  did  the  document  appear  in  the  logs, 

themselves? 

A.  It  was  not  named — it  was  named  with  numbers  and  some 
letters,  but  nothing  like  or  anything  like  that. 

ATC [CPT  MORROW]:  I  am  removing  the  'first  page  of  Prosecution 
Exhibit  166  for  identification  from  the  ELMO. 

Q.  Agent  Shaver,  now,  you  said  you  saw  both  of  these  documents 
accessed  by  the  Bradley  Manning  user  account  in  the  logs,  is 

that  correct? 

A.  Yes,  sir. 

Q.  Did  you  see  any  evidence  on  any  other  machines  or  on  any 
other  log  files  that  suggested  that  these  documents  were  placed  on 
some  other  piece  of  media  associated  with  PFC  Manning? 

A.  Yes,  sir.  Within  .22,  in  the  bradley .manning  user  profile, 
files  with — named:  ; appeared  in  several  locations. 

ATC [CPT  MORROW]:  I'm  retrieving  what's  been  marked  as 
Prosecution  Exhibit  154  for  identification — 154.  I'm  showing  the 
defense  counsel. 
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Q.  Agent  Shaver,  I'm  handing  you  what’s  been  marked  as 
Prosecution  Exhibit  154  for  identification.  Do  you  recognize  that 
document? 

A.  Yes,  sir. 

MJ:  And  what  is  it? 

A.  This  is  a  document  I  created.  This  is  a  summary— this  is 
an  excerpt  of  the  Intelink — or,  excuse  me,  an  excerpt  of  the 
index.dat  file  from  the  bradley. manning  user  profile  from  the  .22 
computer . 

Q.  Now,  the  index.dat  file  is  a  large  file,  is  that  correct? 

A.  Yes,  sir. 

Q.  How  is  this  particular  document  created? 

A.  Sir,  I  filtered  on  the  and 

also  on  the  keyword  ’’blah. zip." 

ATC [CPT  MORROW]:  Permission  to  publish,  Your  Honor? 

MJ:  Go  ahead. 

[The  assistant  trial  counsel  published  PE  154  for  identification  on 
the  overhead. ] 

Q.  Agent  Shaver,  I'd  just  like  you  to  sort  of  describe,  if  you 
could,  line-by-line  the  activity  you're  observing  in  the  index.dat 
file. 


7 
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1  A.  Yes,  sir.  The  first  line  I've  got  March  17th,  2010,  the 

2  user  account  bradley. manning  visited  the  file--that  means  it's 

3  physically  located  on  the  computer — and  there  is  a  path,  documents 

4  and  settings,  bradley .manning,  desktop, 

5  j 

6  Q.  So  where  was  this  document  located  on  March  17th,  2010? 

7  Aj  This  document  was  located  on  the  desktop  of  the  user 

8  profile  bradley .manning. 

9  Q.  Now,  describe  this  migration  in  the  lines  below  that, 

10  please. 

11  A.  Yes,  sir.  The  next  entry  is  on  21  March.  It's  now  in — 

12  from  the  desktop,  it  is  moved  to  the  "My  Documents"  folder.  And 

13  another  file  has  joined  it:  ]  on  the  third 

14  line  down;  that's  March  21st.  And  then  the — on  March  22nd,  the 

15  folder  "Blah"  is  now  present  and  the  two  documents  reside  in  the 

16  bradley .manning  user  profile — the  "My  Dccuments\B!  ah"  folder.  And 

17  then  on — a  little  later  on  March  22nd,  as  well,  another  folder  called 

18  "Interesting"  is  introduced.  So  it's  now— the  files  now  exist  on  the 

19  .22,  the  bradley. manning  user  profile,  in  "My 

20  Documents\Blah\Interesting. " .  And  then  the  last  entry,  on  22  March, 

21  is  that  a  file  called  "Blah.zip"  is  created  and  you  note  that  the 
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1  line — the  second  to  the  bottom  line,  the  time  is  13:37:11  and  then  at 

2  13:37:45,  the  file  "Blah. zip"  is  present. 

3  Q.  Now,  I  want  to  talk  about  "Blah.zip."  Where  else  have  you 

4  seen  "Blah,  zip"' in  this  case?  What  other— on  what  other  piece  of 

5  media  have  you  seen  "Blah.zip"  in  this  ease — -or  evidence  that 

6  "Blah.zip"  may  have  been  present  on  another  computer? 

7  A.  Correct,  sir.  I  believe  it  was  on  the— PFC  Manning's 

8  personal  Macintosh. 

9  Q.  Can  you  describe  where  it  was  on  the  personal  Macintosh — or 

10  if  it — I  mean,  was  the  file  actually  there,  or  was  it  just  evidence 

11  that  the  file  may  have  been  there? 

12  A.  The  file  name  was  there  on  a  mounted  volume. 

13  Q.  What  do  you  mean  by  "mounted  volumes"? 

14  A.  I  believe  Mr.  Johnson  has  testified,  too,  that  CDs  were 

15  created  on  the  .22  computer,  they  were  named— tiers,  date — tiers — the 

16  date  convention  and  that  file  was  found  in  that  pafc'n^-that  unique 

17  path  on  the  personal  computer. 

18  ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  moves  to  admit 

19  Prosecution  Exhibit  154  for  identification  into  evidence. 

20  ADC  [CPT  TOOMAN]-:  No  .objection,  ma'am. 

21  ATC [CPT  MORROW]:  Prosecution  also  moves  to  admit  Prosecution 

22  Exhibits  166  and  167  for  identification  into  evidence. 
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1  ADG [CPT  TOOMAN] :  No  objection.  Your  Honor. 

2  MJ:  All  right.  May  I  see  them,  please?  [Receiving  PE  154, 

3  166,  and  167  for  identification.]  Prosecution  Exhibits  166,  167,  and 

4  154  for  identification  are  admitted.  And  before  we  proceed,  is  there 

5  any  issue  with  saying  that  these  exhibits,  by  number,  have  been 

6  admitted  in- open  session? 

7  TC [MAJ  FEIN]:  No,  ma’am,  however,  since  you  asked,  there  does 

8  need  to  be  a  change  at  the  end  of  this  closed  session  with  what's 

9  been  marked  on  the  actual  prosecution  exhibit  list  and  we'll  make 

10  that  change  with  the  court  reporter.  The  term  is  used  and 

11  we  should - 

12  MJ:  Okay. 

13  ATC [GPT  MORROW]:  Thank  you.  Agent  Shaver. 

14  WIT:  Yes,  sir. 

15  RECROSS  EXAMINATION 

16  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

17  Q.  Agent  Shaver. 

18  A.  Sir. 

19  q.  Now,  Agent  Shaver,  you  reviewed  the 

20  and  the  open  source  logs,  correct? 

21  .  A.  Yes,  sir. 
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1  Q.  And,  in  your  review  of  those  logs,  you  saw  activity  beyond 


2 

just 

for 

these  :  documents,  correct? 

3 

A. 

Yes,  sir. 

4 

Q. 

In  fact,  you  saw  a  number  of  searches  related  to  things 

in 

5 

Iraq 

,  correct? 

6 

A. 

Yes,  sir. 

7 

Q. 

And  nothing  in  your  review  of  this  evidence  suggested  to 

8 

you 

that 

WGET  was  ever  used  with  respect  to  open  source? 

9 

A. 

Correct . 

10 

Q. 

And,  in  your  opinion,  could  open  source — could  a  user  have 

11 

employed  WGET  on  the  open  source  website? 

12 

A. 

I  did  not  have  an  account,  so  I  don't  know.  Sorry. 

13 

ADC [CPT  TOOMAN] :  Okay.  Thank  you,  Agent  Shaver. 

14 

MJ: 

Redirect? 

15 

ATC [CPT  MORROW]:  No,  Your  Honor. 

16 

MJ: 

All  right.  Agent  Shaver,  I  have  a  couple  of  questions 

for 

17 

you. 

18 

EXAMINATION  BY  THE  COURT-MARTIAL 

19 

Questions  by  the  military  judge: 

20 

Q. 

When  you  found  these— Prosecution  Exhibit  166  and  167, 

the 

21 

two 

documents — j 

22 

A. 

Yes,  ma'am. 
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1  Q.  - were  you  able  to  tell,  when  they  were  on  the  Bradley 

2  Manning  user  profile,  where  they  came  from? 

3  A.  No,  ma'am,  but  I  can  see  the  file  names  were  there  and  then 

4  to  look  at  the  log  files— the  OSC  logs,  excuse  me,  the 

5  would  show  that  the  files  were  viewed  and  once  they  are  viewed,  they 

6  would  be  presented  to  your  computer  and  it  would  be  easy  to  File, 

7  Save  As . 

8  Q.  But  the  files  were  reviewed  from  where? 

9  A.  .  They  were  on  the  .22  and  the  logs  Capture  that. 

10  Q.  And  were  you  involved  the  NIPRNET  computer  that  was  in  the 

11  supply  room? 


12 

A. 

.19? 

13 

Q. 

I  don ' t  know . 

14 

ATC [CPT  MORROW]:  Yes,  Your  Honor,  the  IP  address 

is  .19. 

15 

MJ: 

Yes . 

16 

A. 

X — no,  maJam,  I  was — as  a  supervisor,  I  reviewed  A1 

17 

Williamson's  report,  but  I  did  not  do  the  conduct  the 

examination, 

18 

MJ: 

Thank  you. 

19 

WIT: 

Yes,  ma'am. 

20 

MJ: 

.Any  follow-up  based  on  that? 

21 

ATC [CPT  MORROW]:  No,  Your  Honor. 

22 

ADC [ CPT  TOOMAN ] :  No ,  ma'am. 

12 
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1  MJ:  All  right.  Is  there  anything  else  we  need  to  do  in  closed 

2  session? 

3  ATC [CPT  MORROW]:  No,  Your  Honor. 

4  ADC [CPT  TOOMAN] :  'No,  Your  Honor. 

5  MJ:  Okay.  Well,  I  told  everybody  we're  going  to  be  starting  at 

6  1600,  so  why  don't  we  go  ahead  and  take  a  recess  until  1600  and  then 

7  come  back  into  court? 

8  TC [MAJ  FEIN]:  Yes,  ma'am,  and  we  also — may  we  have  a  short  802 

9  prior  to  that  to  talk  about  tomorrow's  schedule? 

10  MJ:  Certainly.  What  time  do  you  want  to  do  it? 

11  TC [MAJ  FEIN]:  Maybe  a  quarter  till,  ma'am? 

12  MJ:  Okay.  That  works.  Are  we  going  to  have  the  witness  back 

13  for  the  open  session? 

14  TC [MAJ  FEIN];  Yes,  ma'am. 

15  ATC [CPT  MORROW] :  We  do,  Your  Honor;  I  need  to  ask  a  few  more 

16  questions  about  the  Open  Source  Center  logs  in  an  open  session. 

17  MJ:  All  right. 

18  [The  witness  was  duly  warned,  temporarily  excused,  and  withdrew  from 

19  the  courtroom.] 

20  MJ:  Anything  else  we  need  to  do  at  this  time  before  we  recess 

21  the  closed  session? 

22  TC[MAJ  FEIN]:  No,  ma'am. 
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1  MJ:  AH  right.  1  notice,  now,  it's— again,  .v 

2  is  in  recess. 

3  [The  court-martial  recessed  at  1524,  26  June  2012.] 
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[The  court-martial  was  called  to  order  at  1607,  26  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  the 

gallery  is  open.  The  spectators  have  returned.  The  witness  is  on 
the  witness  stand.  Major  Fein? 

TC [MAJ  FEIN]:  Ma'am,  all  parties  when  the  Court  last  recessed 
are  again  present  with  the  exception  of  Captain  Overgaard.  Also, 

Your  Honor,  based  off  of  this  closed-session,  and  the  government's 
proposal  under  548  in  order  to  transcribe  —  swiftly  transcribe  the  - 
-  any  closed  sessions  that  we  have  that  the  government  will 
expeditiously  prepare  a  transcript  of  this  testimony  and  conduct  an 
appropriate  classification  review  of  the  transcript.  The 
organizations  involved  for  doing  the  classification  review  are 
standing  by  and  once  the  transcript  is  completed,  which  we  estimate 
to  only  take  one  full  duty  day  it  will  be  given  to  the  parties  for 
authentication,  once  authenticated  —  or  once  reviewed  whether 
authenticated  or  not  by  the  Court  it  will  then  be  sent  to  the 
organizations  for  the  classification  review. 

MJ:  All  right.  Thank  you.  Any  issues? 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  All  right.  Anything  else  we  need  to  address  before  we 

proceed  with  direct  examination  of  the  witness? 

TC [MAJ  FEIN]:  No,  ma'am.  I  guess  just  one  follow  on.  After 
the  classification  review  according  to  the  government's  proposal  then 
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a  redacted  unclassified  version  of  the  transcript  will  be  released 
both  here  physically  in  the  courthouse  and  also  on  the  Department  of 
the  Army  website. 

MJ:  All  right.  Thank  you.  Captain  Morrow? 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

Q.  Agent  Shaver,  I  have  a  couple  more  questions  for  you.  I'd 
like  to  discuss  the  log  files  collected  from  the  Central  Intelligence 
Agency.  Did  you  examine  those  log  files  in  this  case? 

A.  Yes,  sir,  I  did. 

Q.  And  what  exactly  was  collected  by  CCIU? 

A.  There  was  two  sets  of  logs  collected.  First  would  be  Open 
Source  Center  or  OSC  and  then  the  second  one  a  set  of  logs  called 
Wire  Logs. 

Q.  And  what  is  the  Open  Source  Center? 

A.  Sir,  that  is  a  website.  It  has  Open  Source  stuff.  So  web 
documents,  transcripts,  television  shows,  things  like  that. 

Q.  And  do  you  know  whether  PFC  Manning  appeared  to  have  an 
Open  Source  Center  account? 

A.  Yes,  sir.  There  were  two  actual  accounts. 

Q.  And  what  was  the  user  name  of  the  accounts? 

A.  B.  Manning  was  the  first  one  and  the  second  one  was 
Bradass87 . 
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Q.  Now,  what  kind  of  information  was  captured  in  the  logs  for 
the  Open  Source  Center? 

A.  The  user  name,  the  date  and  time,  files  searched  for  and 
files  viewed. 

q.  Can  you  just  describe,  generally,  the  activity  you  observed 
for  the  Bradass87  user  account? 

A.  The  first  day  of  log  files  for  that  account  were  February 
20th,  2010.  There  were  a  number  of  searches  and  files  viewed.  There 
were  searches  for  WikiLeaks,  Iceland  and  other  things  as  well. 

Q.  And  do  you  recall  how  many  total  searches  for  WikiLeaks 
that  you  observed  in  the  log  files  you  examined? 

A.  Sir,  there  were  over  20. 

Q.  And  what  about  total  searches?  Approximately  how  many 
totals  searches  for  Iceland? 

A.  Approximately  25,  sir. 

Q.  And  do  you  recall  the  first  search  for  WikiLeaks  in  the 
Open  Source  Center  logs? 

A.  Yes,  sir.  It  was  on  the  first  day,  so  February  20th,  2010. 

Q.  And  what  about  the  first  search  for  Iceland? 

A.  Same  thing,  sir. 

ATC [CPT  MORROW]:  Thank  you.  Agent  Shaver. 
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RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Agent  Shaver. 

A.  Sir. 

Q.  The  first  search  in  the  Open  Source  Center  by  PFC  Manning's 
user  account  was  on  20  of  February,  correct? 

A.  Yes,  sir. 

Q.  Nothing  before  January? 

A.  Correct. 

Q.  Nothing  in  December?  And  PFC  Manning's  user  account  also 
searched  for  things  related  to  Iraq,  correct? 

A.  Yes,  sir. 

Q.  And  he  did  that  quite  a  bit? 

A.  Yes,  sir,  he  did. 

ADC [CPT  TOOMAN]:  Thank  you. 

MJ:  Redirect? 

ATC [CPT  MORROW]:  No,  Your  Honor. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  Special  Agent  Shaver,  someone  from  a  user  account  like  in 
this  case  goes  and  searches  for,  say,  WikiLeaks  and  then  pulls  up 
something  in  the  search,  are  these  logs  able  to  track  that? 
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A.  Yes,  ma'am.  It  will  actual  say  'file  viewed.'  It  will 
actually  say  the  words  'file  viewed.' 

Q.  If  they  go  into  the  file  further? 

A.  If  they  open  the  file,  yes. 

Q.  Is  the  —  are  the  logs  able  to  track  that? 

A.  Yes. 

Q.  When  PFC  Manning  searched  for  WikiLeaks,  what  did  he  find? 

A.  Documents  pertaining  to  the  WikiLeaks  site.  I  don't  recall 
what  files  he  viewed.  I  just  looked  for  searches.  But  it's  Open 
Source  Center  stuff.  So  it  would  have  been  stuff  readily  available 
on  the  web. 

Q.  So  let  me  just  make  sure  I  understand  your  testimony.  The 
logs  track  what  the  user  views.  So  if  the  user  opens  something  with 
a  search  term  and  viewed  it,  the  log  would  tell  you  what  it  was  that 
they  reviewed? 

A.  Yes,  ma'am. 

Q.  And  in  this  particular  case,  you  just  don't  remember  what 
the  logs  say? 

A.  Pertaining  to? 

Q.  To  the  search  for  WikiLeaks. 

A.  Correct. 

MJ:  Okay.  Any  follow  up  based  on  that? 

ATC [CPT  MORROW]:  No,  Your  Honor. 
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ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  Temporary  or  permanently  excused? 

ATC [CPT  MORROW]:  Temporary,  Your  Honor. 

MJ:  Did  the  government  want  to  state  in  the  open  court  what 

exhibits  were  admitted? 

ATC [CPT  MORROW]:  Absolutely,  Your  Honor.  Prosecution 

Exhibits  154,  166,  and  167  were  admitted. 

MJ:  All  right.  Temporarily  excused. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

MJ:  Other  than  by  number,  is  there  any  way  to  label  those 

exhibits  in  open  court? 

ATC [CPT  MORROW]:  One  moment.  Your  Honor.  Your  Honor,  the 

plan  is  to  identify  those  exhibits  by  Bates  number.  We'll  do  that 
tomorrow  in  open  court. 

MJ:  All  right.  Is  there  anything  else  we  need  to  address  today 
other  than  timing  and  scheduling? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  ma'am. 

MJ:  The  parties  have  talked  to  me  about  tomorrow's  scheduling. 

They  are  going  to  be  arriving  at  additional  stipulations  of  expected 
testimony  and  they  need  some  time  to  do  that.  So  we  are  going  to 
recess  court  today  and  beginning  tomorrow  at  1200,  at  noon,  to  allow 
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the  parties  to  continue  to  do  what  they  need  to  do  to  get  those 
stipulations  of  expected  testimony  and  I  believe  that's  all  we  need 
to  discuss  with  respect  to  scheduling.  Is  that  correct? 

TC [MAJ  FEIN]:  Ma'am,  it's  just  mostly  for  the  general  public's 
awareness  that  we  will  not  take  a  lunch  recess  tomorrow.  So  we'll 
start  at  noon  and  move  forward. 

MJ:  Okay.  So  we'll  all  have  eaten  lunch  before  we  start. 

Anything  else  we  need  to  address? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

MJ:  All  right.  Court  is  in  recess  until  noon  tomorrow. 

[The  court-martial  recessed  at  1615,  26  June  2013.] 

[END  OF  PAGE] 


9205 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


[The  court-martial  was  called  to  order  at  1206,  27  June  2013.] 

MJ:  Court  is  called  to  order.  Major  Fein,  please  account  for 

the  parties. 

TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  all  parties  when  the 
Court  last  recessed  are  again  present  with  the  addition  of  Captain 
Overgaard.  Also,  ma'am,  as  of  the  start  of  this  session  there  are 
ten  members  of  the  media  at  the  media  operations  center,  one 
stenographer,  no  media  in  the  courtroom,  spectators  in  the  courtroom 
and  there's  one  spectator  in  the  overflow  trailer.  The  rest  of  the 
trailer  is  available  and  the  theater  will  be,  if  needed. 

MJ:  All  right.  Thank  you.  Defense,  before  we  begin,  I  wanted 

to  ask  you  in  the  Court's  copy,  may  I  see  the  Defense  Motion  for 
Judicial  Notice  of  WikiLeaks  Publications  of  9-11  pager  messages?  I 
think  that's  Appellate  Exhibit,  it's  either  569,  570,  or  571.  May  I 
see  whichever  one  it  is? 

CDC [MR.  COOMBS]:  It  should  be  571,  Your  Honor. 

MJ:  All  right.  Just  so  everyone  knows,  I'm  looking  at 

Paragraph  1,  it  talks  about  the  text  and  pager  messages  sent  on  11 
September  2011,  and  then  the  footnote  says  2001.  Is  the  2011  a  typo? 

ADC [CPT  TOOMAN] :  Yes,  ma'am,  it  is. 

MJ:  So  it  should  be  2001? 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 
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MJ:  So  for  the  record  in  Paragraph  1,  of  relief  sought,  right 

at  the  end  of  the  sentence  it  says  messages  sent  on  11  September 
2001.  You  want  to  just  go  ahead  and  change  it  and  initial  it? 

ADC [CPT  TOOMAN] :  Yes,  ma'am,  thank  you. 

MJ:  The  Court  notes  that  the  exhibit  has  been  changed  to  2001 

and  signed  by  Captain  Tooman  or  initialed  by  Captain  Tooman.  All 
right.  The  Court  is  prepared  to  rule  on  both  motions  for  judicial 
notice.  Defense  Requested  Judicial  Notice-On  15  June  2013,  the 
Defense  filed  3  motions  for  judicial  notice  Appellate  Exhibits  569 
through  571  requesting  the  Court  take  judicial  notice  of  the 
following  adjudicative  facts: 

The  13  October  2010,  classification  assessment  conducted  by 
Rear  Admiral  Kevin  Donegan,  Director  of  Operations  at  CENTCOM, 
regarding  the  Apache  Video  Prosecution  Exhibit  15. 

Two:  The  audio  transcript  for  Prosecution  Exhibit  15. 

Three:  On  or  about  25  November  2009,  WikiLeaks  published 

what  it  claimed  to  be  text  and  pager  messages  sent  on  11  September 
2001.  The  Defense  does  not  request  the  Court  to  take  judicial  notice 
of  the  messages  themselves  or  that  the  messages  are  actually  from  11 
September  2001. 

Four:  On  25  July  2007,  Reuters  made  a  FOIA  request  to  DoD 

for  video  and  audio  recordings  relating  to  the  deaths  of  Mr.  Namir 
Noor-Eldeen  and  Mr.  Saeed  Chmagh,  Reuters  journalists.  CENTCOM 
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responded  to  the  Reuters  request  on  24  April  2009.  On  19  June  2013, 
the  Government  filed  a  brief  opposing  1,  2,  and  4  above  Appellate 
Exhibit  574.  After  oral  argument,  the  Government  revised  its 
position  and  did  not  object  to  2,  3,  and  4  above.  The  parties 
stipulate  that  Enclosure  2  to  Appellate  Exhibit  574  is  an  accurate 
transcript  of  the  audio  of  Prosecution  Exhibit  15.  The  Government 
objected  to  the  classified  —  to  the  classification  assessment  in  1 
as  hearsay  not  admissible  as  a  statement  of  a  party  opponent  under 
M.R.E.  802(d) (2) (D) .  The  Court  will  grant  Judicial  Notice  for  2,  3, 
and  4 .  The  only  remaining  issue  regarding  the  Defense  motions  for 
judicial  notice  is  whether  the  Court  will  take  judicial  notice  of 
Number  1. 

Government  requests  for  Judicial  Notice:  On  25  June  2013, 
the  Government  filed  a  motion  for  Judicial  Notice  corrected  copy  at 
Appellate  Exhibit  576  moving  the  Court  to  take  notice  of  the 
following  adjudicative  facts:  Adjudicative  Facts:  WikiLeaks 
Releases 

a.  WikiLeaks  released  a  video  titled  "Collateral  Murder" 
on  5  April  2010; 

b.  WikiLeaks  released  more  than  390,000  records  from  the 
Combined  Information  Data  Network  Exchange  (CIDNE)  Iraq  database  on 
22  October  2010; 
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c.  WikiLeaks  released  more  than  75,000  records  from  the 
CIDNE  Afghanistan  database  on  25  July  2010; 

d.  WikiLeaks  released  more  than  700  detainee  assessments 
produced  by  Joint  Task  Force  Guantanamo  (JTF-GTMO)  on  25  April  2011; 

e.  WikiLeaks  released  a  memorandum  produced  by  the  Army 
Counterintelligence  Center  titled  "Wikileaks . org-An  Online  Reference 
to  Foreign  Intelligence  Services,  Insurgents,  or  Terrorist  Groups?" 
on  15  March  2010; 

Adjudicative  Facts:  Salary  of  Servicemembers  and  Government 

Employees 

f.  The  monthly  base  salary  for  Servicemembers  at  the  rank 
of  Specialist,  E-4,  was  $1,502.70  in  2003,  $1,558.20  in  2004, 
$1,612.80  in  2005,  $1,662.90  in  2006,  $1,699.50  in  2007,  $1,758.90  in 
2008,  $1,827.60  in  2009,  and  $1,889.70  in  2010; 

g.  The  yearly  base  salary  for  government  employees  at  the 
grade  of  12  on  the  General  Schedule  scale  was  $51,508  in  2003, 

$52,899  in  2004,  $54,221  in  2005,  $55,360  in  2006,  $56,301  in  2007, 
$57,709  in  2008,  $59,383  in  2009,  and  $60,274  in  2010; 

Adjudicative  Facts:  Reference  Materials: 

h.  The  existence  of  Army  Regulation  25-1,  dated  13 

November  2007,  specifically  Paragraphs  1-1,  subparagraphs  (a)  and  (b) 
of  1-7,  and  subparagraphs  (d) ,  (e) ,  and  (f)  of  6-1  and  the  definition 

of  "Information  System";  in  —  additionally  the  government's  motion 
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said  Section  2  of  the  Glossary  of  Army  Regulation  27-1  and  they 
revised  that  to  say  the  definition  in  Army  Regulation  27-2.  So,  the 
judicial  notice  requested  is  —  I'm  sorry,  25-2,  and  that's  the 
current  request  for  judicial  notice. 

i.  The  existence  of  Department  of  Defense,  DoD,  is  that 
Directive  or  Instruction? 

TC [MAJ  FEIN]:  May  I  have  a  moment,  Your  Honor? 

MJ:  Yes. 

TC [MAJ  FEIN]:  Your  Honor,  DoD  5400. 11-R  is  a  DoD  Regulation, 
that's  administered  under  the  DoD  Directive  5400.11. 

MJ:  Okay.  So  you  are  asking  me  to  take  judicial  notice  of  the 

DoD  Regulation? 

TC [MAJ  FEIN]:  Yes,  ma’am. 

MJ:  Not  the  Directive? 

TC [MAJ  FEIN]:  Yes,  ma’am,  5400. 11-R. 

MJ:  Okay.  Does  the  -R  make  it  a  regulation? 

TC [MAJ  FEIN]:  Yes,  ma’am,  this  is  a  regulation. 

MJ:  All  right.  So,  that's  —  It's  a  DoD  —  what  you  want  me  to 

take  judicial  notice  is  entitled  DoD  5400. 11-R? 

TC [MAJ  FEIN]:  Yes,  ma’am. 

MJ:  Okay. 

TC [MAJ  FEIN]:  The  Department  of  Defense  Privacy  Program,  dated 
May  14th  2007. 
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MJ:  Okay.  Specifically  Appendix  1  and  the  definition  of 

"Personal  Information;"  Adjudicative  Facts:  Miscellaneous 

j.  Thanksgiving  of  2009  occurred  on  26  November  2009; 

k.  The  term,  ".is,"  is  the  top  level  internet  domain  of 

Iceland; 

l.  Johanna  Sigurdardottir  was  the  Prime  Minister  of 
Iceland  from  February  2009-May  2013;  Ossur  Skarphedinsson  was  the 
Icelandic  Minister  for  Foreign  Affairs  from  February  2009  -May  2013; 
Albert  Jonsson  was  the  Icelandic  Ambassador  to  the  United  States  from 
2006-2009;  and  Birgitta  Jonsdottir  has  been  a  member  of  the  Icelandic 
parliament  since  2009;  and 

m.  The  Internet  chat  lingo  and  their  meanings  in  Enclosure 
13  are  synonymous. 

On  25  June  2013,  the  Defense  filed  a  brief  objecting  to  all 
of  the  above  except  j  and  m  on  the  grounds  of  relevance.  The  Defense 
did  not  object  to  j  and  objected  to  m  as  an  improper  subject  for 
judicial  notice.  At  oral  argument,  the  Defense  conceded  that  a  -  1 
were  properly  judicially  noticed  adjudicative  facts  if  relevant. 

Thus,  with  the  exception  of  j,  all  of  the  Government's  motions  for 
judicial  notice  remain  at  issue. 

The  Law:  Judicial  Notice 

One,  Military  Rule  of  Evidence  201  governs  judicial  notice 
of  adjudicative  facts.  The  judicially  noticed  fact  must  be  one  not 
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subject  to  reasonable  dispute  in  that  it  is  either  (1)  generally 
known  universally,  locally,  or  in  the  area  pertinent  to  the  event  or 
(2)  capable  of  accurate  and  ready  determination  by  resort  to  sources 
whose  accuracy  cannot  reasonably  be  questioned.  US.  v.  Needham,  23 
M.J.  383  (Court  of  Military  Appeals  1987);  US.  v.  Brown,  33  M.J.  706 
(Army  Court  of  Military  Review  1991) . 

Two,  Military  Rule  of  Evidence  201(c)  requires  the  military 
judge  to  take  judicial  notice  of  adjudicative  facts  if  requested  by  a 
patty  and  supplied  with  the  necessary  information. 

Three,  when  the  military  judge  takes  judicial  notice  of 
adjudicative  facts,  the  fact  finder  is  instructed  that  they  may,  but 
are  not  required  to,  accept  as  conclusive  any  matter  judicially 
noticed. 

Four,  Judicial  notice  is  of  adjudicative  facts.  Judicial 
notice  is  not  appropriate  for  inferences  a  party  hopes  the  fact 
finder  will  draw  from  the  fact(s)  judicially  noticed.  Legal  arguments 
and  conclusions  are  not  adjudicative  facts  subject  to  judicial 
notice.  US.  v.  Anderson,  22  M.J.  885  (Air  Force  Court  of  Military 
Review  1985)  (appropriate  to  take  judicial  notice  of  the  existence  of 
a  treatment  program  at  a  confinement  facility  but  not  appropriate  to 
take  judicial  notice  of  the  quality  of  the  program. ) . 

The  Law:  Hearsay. 
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One,  hearsay  is  a  statement,  other  than  the  one  made  by  the 
declarant  while  testifying  at  the  trial,  offered  in  evidence  to  prove 
the  truth  of  the  matter  asserted.  M.R.E.  801(c).  Hearsay  is  not 
admissible  except  as  provided  by  the  Military  Rules  of  Evidence  or  by 
any  Act  of  Congress  applicable  in  trials  by  court-martial.  Military 
Rule  of  Evidence  802. 

Two,  Admission  by  a  Party  Opponent.  Military  Rule  of 
Evidence  801(d) (2) (D)  provides  in  relevant  part  that  admissions  by  a 
Party  Opponent  are  not  hearsay  if  the  statement  is  offered  against  a 
party  and  is  a  statement  by  the  party's  agent  or  servant  concerning  a 
matter  within  the  scope  of  the  agency  or  employment  of  the  agent  or 
servant  made  during  the  existence  of  the  relationship.  The  contents 
of  the  statement  shall  be  considered  but  are  not  alone  sufficient  to 
establish  the  declarant's  agency  or  employment  relationship  and  the 
scope  thereof  under  (D) .  Consistent  with  the  Court's  18  October 
2012,  Ruling,  entitled  Defense  Motion:  Motion  for  Judicial  Notice  of 
Adjudicative  facts-Finkel  Book  and  Public  statements.  Appellate 
Exhibit  356,  the  Court  adopts  the  three-part  test  adopted  by  the 
Second  Circuit  in  United  States  v.  Salerno,  937  F.2d  797,  at  811  (2d 
Circuit  1991)  to  determine  if  the  classification  assessment  by  Rear 
Admiral  Donegan  qualifies  as  an  admission  under  M.R.E.  801(d) (2) (D) 
against  the  Government  and  is  worthy  of  judicial  notice.  That  three- 
part  test  is  —  I'm  sorry,  that  three-part  test  requires  the  Court, 
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"[to]  be  satisfied  that  the  prior  [statement]  involves  an  assertion 
of  fact  inconsistent  with  similar  assertions  in  a  subsequent  trial. 
Second,  the  court  must  determine  that  the  [statements]  were  such  as 
to  be  the  equivalent  of  testimonial  statements.  Lastly,  the  district 
court  must  determine  by  a  preponderance  of  the  evidence  that  the 
inference  that  the  proponent  of  the  statements  wishes  to  draw  is  a 
fair  one  and  that  an  innocent  explanation  for  the  inconsistency  does 
not  exist."  Salerno ,  937  F.2d  at  811  (2d  Circuit  1991)  (quoting 
United  States  v.  McKeon,  738  F.2d  26,  at  33  (2d  Circuit  1984) 
(quotations  omitted);  see  also  United  States  v.  DeLoach,  34  F. 3d 
1001,  1005  (11th  Circuit  1994)  (adopting  the  test  from  Salerno).  The 
fact  that  a  statement  is  admissible  against  a  party  opponent  does  not 
bind  the  party  to  that  statement.  The  party  against  whom  such  a 
statement  is  made  can  rebut  the  statement  and  assert  a  different  or 
contrary  position.  US.  v.  Bellamy ,  403  Maryland  at  329,  footnote  19. 

The  Law:  Use  of  Statements  Made  by  an  Accused  during  the 
Providence  Inquiry  in  the  Merits  of  the  Trial.  An  accused's  guilty 
plea  to  a  lesser  included  offense  may  be  used  to  establish  elements 
of  the  greater  offense  during  the  contested  portion  of  the  trial. 
Statements  made  by  the  accused  during  the  providence  inquiry,  whether 
orally  or  in  writing,  are  not  evidence  that  is  before  the  trier  of 
fact  and  may  not  be  considered  during  the  contested  portion  of  the 
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1  trial.  Rule  for  Court-Martial  913(a)  Discussion;  US.  v.  Grijalva ,  55 

2  M.J.  223  (Court  of  Appeals  for  the  Armed  Forces,  2001). 

3  Conclusions  of  Law:  Defense  Motion  for  Judicial  Notice  of 

4  Classified  Assessment  —  Classification  Assessment  of  Rear  Admiral 

5  Donegan. 

6  One,  the  Court  will  not  consider  any  statements  made  by  the 

7  accused  during  the  providence  inquiry  as  evidence  to  support  any  of 

8  the  requests  for  judicial  notice. 

9  Two,  Rear  Admiral  Donegan' s  statement  meets  the  Salerno 

10  test  and  qualifies  as  an  admission  of  a  patty  opponent  under  M.R.E. 

11  801(d) (2) (D) .  Rear  Admiral  Donegan  was  acting  in  his  official 

12  capacity  as  Director  of  Operations,  CENTCOM,  when  he  made  the 

13  classification  assessment.  The  classification  assessment  states 

14  facts  inconsistent  with  the  Stipulation  of  Expected  Testimony  of  CW5 

15  John  Larue  at  Prosecution  Exhibit  117.  The  inference  the  Defense 

16  wishes  to  draw  is  a  fair  one. 

17  Three,  the  Court  will  take  Judicial  Notice  of  the  13 

18  October  2010,  classification  assessment  by  Rear  Admiral  Donegan. 

19  Government  Motion  for  Judicial  Notice.  The  facts  in  a 

20  through  1  are  adjudicative  facts  capable  of  accurate  and  ready 

21  determination  of  by  resort  to  sources  whose  accuracy  cannot 

22  reasonably  be  questioned. 
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WikiLeaks  Releases:  The  Court  has  already  cited  those 
above,  although  I  have  them  listed  in  the  ruling,  I  won't  read  them 
again. 

All  of  the  WikiLeaks  releases  are  relevant  to  show  the  path 
of  information  allegedly  from  the  accused  through  WikiLeaks  with 
opportunity  to  access  it  by  the  enemy  for  the  Specification  of  Charge 
I  (Aiding  the  Enemy)  and  for  the  caused  to  be  published  element  of 
Specification  1  of  Charge  II  (Wantonly  Caused  to  be  Published) .  In 
addition  a  through  e  are  relevant  to  facts  at  issue  as  to  whether  the 
accused  stole,  purloined,  or  knowingly  converted  information  and 
whether  the  information  was  closely  held  by  the  Government  for  the 
following  specifications  of  Charge  II:  a  Specification  2;  b 
Specifications  4  and  5;  c  Specifications  6  and  7;  d  Specifications  8 
and  9;  and  e  Specification  15.  The  government  [sic]  will  take 
judicial  notice  of  a  through  e. 

Adjudicative  Facts:  Salary  of  Servicemembers  and  Government 
Employees,  once  again,  I  read  them  before  when  we  did  the 
introduction  of  what  the  government  was  seeking  judicial  notice  for. 
The  Court  will  not  read  them  again.  The  monthly  and  yearly  base 
salaries  of  Servicemembers  and  government  employees  in  the  grade  of 
GS  12  are  relevant  to  a  fact  in  issue  to  prove  value  of  the 
information  in  Specifications  8  and  16  of  Charge  II.  The  Court  will 
take  judicial  notice  of  f  and  g. 
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Adjudicative  Facts:  Reference  Materials: 

The  existence  of  Army  Regulation  25-1,  dated  13  November  — 
excuse  me,  I've  already  read  those  as  well.  I  won't  read  them  again. 
The  references  in  AR  25-1,  AR  25-2,  and  DoD  5400-R  are  relevant  to  a 
fact  at  issue  in  Specification  16  of  Charge  II  to  prove  that  the 
information  stolen  was  a  thing  of  value  to  the  United  States  and  are 
also  relevant  to  a  fact  at  issue  in  Specification  4  of  Charge  III  to 
prove  that  the  accused  used  an  information  system  for  a  manner  other 
than  its  intended  use.  The  Court  will  take  judicial  notice  of  h  and 
i . 

Now,  before  I  proceed  with  the  rest  of  this,  I  do  want  to 
ask,  Defense,  I'm  taking  judicial  notice  of  the  definition  of 
information  system  for  the  government  and  AR  25-2.  Does  the  defense 
want  me  to  take  the  definitions  of  information  systems  that  you  gave 
me  with  respect  to  litigating  this  motion  in  AR  25-1  and  I  forgot  the 
other  publication  that  you  gave  me. 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  Okay.  I'll  continue  on  with  the  ruling  then. 

Adjudicative  Facts:  Miscellaneous  j. 

Thanksgiving  of  2009  occurred  on  26  November  2009;  k  and  1 
were  the  IS  and  Islandic  officials  and  m  was  the  Internet  chat  lingo. 
The  Defense  does  not  object  to  the  Court  taking  judicial  notice  of  j. 
The  terms  and  names  in  k  and  1  were  used  by  the  accused  in  searches 
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on  Intelink  and  chats  with  Press  Association/ Julian  Assange 
(Prosecution  Exhibits  81;  123;  and  127).  The  facts  at  k  and  1  are 
relevant  to  explain  to  the  fact-finder  the  terms  used  in  the  searches 
and  chats  by  the  accused  and  are  also  relevant  to  whether  the  accused 
acted  wantonly  for  Specification  1  of  Charge  II.  The  Government  has 
provided  no  references  for  m  other  than  a  chart  of  chat  terms  and 
translations  prepared  by  an  unknown  person  or  entity.  The  facts  at  m 
are  not  adjudicative  facts  capable  of  accurate  and  ready 
determination  by  resort  to  sources  whose  accuracy  cannot  reasonably 
be  questioned.  The  Court  will  take  judicial  notice  of  j,  k,  and  1. 
The  Court  will  not  take  judicial  notice  of  m. 

Ruling:  The  Defense  motions  for  judicial  notice  are 

Granted.  The  Government  motions  for  judicial  notice  are  Granted  in 
Part.  The  Court  will  take  judicial  notice  of  a  through  1.  The  Court 
will  not  take  judicial  notice  of  m  meanings  of  internet  chat  lingo. 

Is  there  anything  further  with  respect  to  this  ruling? 

CDC [MR.  COOMBS]:  No,  ma'am. 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  All  right.  I'll  have  this  ruling  marked  as  the  next 
Appellate  Exhibit  in  line.  As  I  was  reading  it  I  was  noticing  a 
couple  of  typos  and  will  go  ahead  and  mark  this  but  I'm  going  to  do  a 
corrected  copy  and  I  believe  the  court  reporter  told  me  that  would  be 
Appellate  Exhibit  582. 
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Is  there  anything  else  we  need  to  address  before  we 

proceed? 

TC [MAJ  FEIN]:  Yes,  ma'am.  There's  one  housekeeping  issue  from 
yesterday.  During  the  closed  session  the  United  States  offered  and 
had  admitted  three  pieces  of  evidence  and  the  United  States  can  put 
that  on  the  public  record  what,  at  least  the  unclassified 
description . 

MJ:  Go  ahead. 

TC [MAJ  FEIN]:  First  was  Prosecution  Exhibit  154,  the 
description  is  it  was  the  —  it  was  index.dat  document  migration 
summary,  classified.  Prosecution  Exhibit  166  is  a  memorandum.  Bates 
number  00374994-00374996,  which  is  one  of  the  two  charged  documents 
for  Specification  3  of  Charge  II.  And  Prosecution  Exhibit  167  is  a 
memorandum.  Bates  number  00374990  through  00374993,  which  is  the 
second  of  two  documents  for  the  charged  documents  for  Specification  3 
of  Charge  II. 

MJ:  All  right.  Thank  you.  Any  other  administrative  matters  we 

need  to  address? 

TC [MAJ  FEIN]:  No,  ma'am. 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  All  right.  Government,  please  proceed. 

ATC [CPT  MORROW]:  United  States  recalls  Special  Agent  Mark 

Mander . 


9219 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


©  9 


SPECIAL  AGENT  MARK  MANDER,  was  recalled  as  a  witness  for  the 
prosecution,  was  reminded  he  was  still  under  oath,  and  testified  as 
follows : 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  Morrow] : 

Q.  Agent  Mander,  I'm  going  to  ask  you  to  identify  a  couple  of 
documents,  okay? 

A.  Okay. 

ATC [CPT  MORROW]:  I'm  retrieving  Prosecution  Exhibits  31  Alpha 

and  32  Alpha  for  Identification.  I'm  showing  them  to  defense 
counsel . 

Q.  Agent  Mander,  I'm  handing  you  Prosecution  Exhibits  31  Alpha 
and  32  Alpha  for  Identification.  Can  you  take  a  look  at  those, 
please? 

A.  Okay. 

Q.  Do  you  recognize  those  documents? 

A.  I  do. 

Q.  And  what  are  they? 

A.  These  are  two  documents  that  basically  contain  information 
from  Twitter  from  the  WikiLeaks  Twitter  account. 

Q.  Okay.  And  I  want  to  be  very  specific  about  what  they  are. 
Is  it  an  image  of  something?  Can  you  describe  that,  please? 
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A.  These  are  what  we  would  call  a  screen  capture.  It's 
basically  what  I  saw  on  my  computer  screen  at  the  time  that  I  went  to 
these  particular  URLs. 

Q.  And  can  you  describe  the  process  of  creating  a  screen 
capture  or  what  you  do  in  this  case  for  these  two  documents? 

A.  In  the  case  of  these  two  documents  I  navigated  to  the 
Twitter  web  page  and  specifically  the  location  that  contained  these 
two  messages  on  the  Twitter  website,  and  then  basically  made  a  copy 
of  what  was  on  my  computer  screen,  placed  that  copy  into  a  PowerPoint 
document,  and  then  printed  out  those  two  pages,  or  these  two  pages, 
and  then  initialed  the  bottom  right  of  each  page. 

Q.  And  when  did  you  do  all  this? 

A.  This  was,  excuse  me,  sometime  last  year,  I  believe  it  was 
in  August  of  last  year. 

ATC [CPT  MORROW]:  Permission  to  publish.  Your  Honor. 

MJ:  Go  ahead. 

[There  was  a  brief  pause  while  the  assistant  trial  counsel  published 
the  exhibit  to  the  Court  and  the  witness . ] 

Q.  Agent  Mander,  I'm  going  to  show  you  31  Alpha  first,  okay? 

A.  Okay. 

Q.  I  know  it's  a  little  difficult  to  see.  But  really  what  I'm 
concerned  with  is  the  very  top  line,  the  HTTP : //Twitter . com;  was  that 
part  of  the  screen  capture? 


9221 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o  u 


A.  That  was  not. 

Q.  What  is  that?  Why  was  that  added? 

A.  I  added  that  in  because  I  noticed  at  the  resolution  to 
shrink  down  the  screen  capture  to  get  it  all  on  one  page  it  makes  the 
actual  address,  which  is  what  that  is,  above  kind  of  hard  to  see,  so 
I  just  added  that  in  there  just  so  it  would  make  it  a  little  easier 
to  identify  what  I  was  actually  looking  at,  at  the  time. 

Q.  How  did  you  create  that  line  of  information  then 
specifically? 

A.  I  pasted  the  screen  capture  of  the  site  that  was  on  my 
computer  screen  which  is  basically  the  rectangular  box. 

Q.  I'm  specifically  referring  to  the  web  address. 

A.  Right.  And  then  just  added  the  web  address  as  a  text  box 
inside  the  Power  Point  document. 

Q.  Okay.  And  those  are  your  initials  in  the  bottom  right-hand 
corner? 

A.  They  are. 

Q.  I'm  going  to  show  you  32  Alpha  at  this  time.  And,  again, 
was  it  the  same  process  to  create  the  web  address  at  the  very  top, 
the  HTTP: //Twitter? 

A.  Yes. 

Q.  And,  again,  are  those  your  initials  on  the  bottom  right- 
hand  corner? 
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INSTRUCTIONS  FOR  PREPARING  AND  ARRANGING  RECORD  OF  TRIAL 


USE  OF  FORM  -  Use  this  form  and  MCM,  1984, 
Appendix  14,  will  be  used  by  the  trial  counsel  and 
the  reporter  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  verbatim  record  is  prepared.  Air 
Force  uses  this  form  and  departmental 
instructions  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  summarized  record  is  authorized. 
Army  and  Navy  use  DD  Form  491  for  records  of 
trial  in  general  and  special  court-martial  cases  in 
which  a  summarized  record  is  authorized. 
Inapplicable  words  of  the  printed  text  will  be 
deleted. 

COPIES  -  See  MCM,  1984,  RCM  1103(g).  The 
convening  authority  may  direct  the  preparation  of 
additional  copies. 

ARRANGEMENT  -  When  forwarded  to  the 
appropriate  Judge  Advocate  General  or  for  judge 
advocate  review  pursuant  to  Article  64(a),  the 
record  will  be  arranged  and  bound  with  allied 
papers  in  the  sequence  indicated  below.  Trial 
counsel  is  responsible  for  arranging  the  record  as 
indicated,  except  that  items  6,  7,  and  15e  will  be 
inserted  by  the  convening  or  reviewing  authority, 
as  appropriate,  and  items  10  and  14  will  be 
inserted  by  either  trial  counsel  or  the  convening  or 
reviewing  authority,  whichever  has  custody  of 
them. 

1 .  Front  cover  and  inside  front  cover  (chronology 
sheet)  of  DD  Form  490. 

2.  Judge  advocate’s  review  pursuant  to  Article 
64(a),  if  any. 

3.  Request  of  accused  for  appellate  defense 
counsel,  or  waiver/withdrawal  of  appellate  rights, 
if  applicable. 

4.  Briefs  of  counsel  submitted  after  trial,  if  any 
(Article  38(c)). 

5.  DD  Form  494,  "Court-Martial  Data  Sheet." 

6.  Court-martial  orders  promulgating  the  result  of 
trial  as  to  each  accused,  in  10  copies  when  the 
record  is  verbatim  and  in  4  copies  when  it  is 
summarized. 

7.  When  required,  signed  recommendation  of 
staff  judge  advocate  or  legal  officer,  in  duplicate, 
together  with  all  clemency  papers,  including 
clemency  recommendations  by  court  members. 


8.  Matters  submitted  by  the  accused  pursuant  to 
Article  60  (MCM,  1 984,  RCM  1 1 05). 

9.  DD  Form  458,  "Charge  Sheet”  (unless  included 
at  the  point  of  arraignment  in  the  record). 

10.  Congressional  inquiries  and  replies,  if  any. 

11.  DD  Form  457,  "Investigating  Officer's  Report,” 
pursuant  to  Article  32,  if  such  investigation  was 
conducted,  followed  by  any  other  papers  which 
accompanied  the  charges  when  referred  for  trial, 
unless  included  in  the  record  of  trial  proper. 

12.  Advice  of  staff  judge  advocate  or  legal  officer, 
when  prepared  pursuant  to  Article  34  or  otherwise. 

13.  Requests  by  counsel  and  action  of  the 
convening  authority  taken  thereon  (e.g.,  requests 
concerning  delay,  witnesses  and  depositions). 

14.  Records  of  former  trials. 

15.  Record  of  trial  in  the  following  order: 

a.  Errata  sheet,  if  any. 

b.  Index  sheet  with  reverse  side  containing 
receipt  of  accused  or  defense  counsel  for  copy  of 
record  or  certificate  in  lieu  of  receipt. 

c.  Record  of  proceedings  in  court,  including 
Article  39(a)  sessions,  if  any. 

d.  Authentication  sheet,  followed  by  certificate 
of  correction,  if  any. 

e.  Action  of  convening  authority  and,  if  appro¬ 
priate,  action  of  officer  exercising  general  court- 
martial  jurisdiction. 

f.  Exhibits  admitted  in  evidence. 

g.  Exhibits  not  received  in  evidence.  The  page 
of  the  record  of  trial  where  each  exhibit  was 
offered  and  rejected  will  be  noted  on  the  front  of 
each  exhibit. 

h.  Appellate  exhibits,  such  as  proposed  in¬ 
structions,  written  offers  of  proof  or  preliminary 
evidence  (real  or  documentary),  and  briefs  of 
counsel  submitted  at  trial. 
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